Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
Published: 2026-01-15
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Immediate Patch
AI Analysis

Impact

SvelteKit’s experimental form remote function, used from versions 2.49.0 through 2.49.4, deserializes binary data that represents submitted form data. A specially crafted payload can trigger the server to allocate a large volume of memory, leading to a denial‑of‑service through memory exhaustion. The weakness corresponds to uncontrolled or arbitrary resource consumption (CWE‑770) and inappropriate input handling (CWE‑789).

Affected Systems

Vulnerable releases of the SvelteKit framework, specifically versions 2.49.0, 2.49.1, 2.49.2, 2.49.3, and 2.49.4, built with Node.js and used in web applications by developers specifying adapter-node. No other product versions are mentioned as affected.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.2, indicating high severity. The EPSS score is below 1 %, suggesting a low but nonzero probability of exploitation at present, and it is not listed in CISA’s KEV catalog. The attack vector is inferred to be a network‑bound HTTP request to a remote function endpoint, which accepts a binary payload, enabling an attacker to trigger memory exhaustion from a remote location.

Generated by OpenCVE AI on April 18, 2026 at 06:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch by upgrading SvelteKit to version 2.49.5 or later, which removes the binary deserializer flaw.
  • If an upgrade cannot be performed immediately, disable or remove the experimental form remote function feature until the vulnerability is fixed, to eliminate the attack surface.
  • As an additional safeguard, configure the server to enforce strict limits on inbound request body sizes or overall memory usage, reducing the chance of successful memory amplification.
  • Monitor application logs and network traffic for unusually large payloads, and enforce rate limiting on the affected endpoints if possible.

Generated by OpenCVE AI on April 18, 2026 at 06:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j2f3-wq62-6q46 @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata)
History

Wed, 21 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
CPEs cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte kit
Vendors & Products Svelte
Svelte kit

Thu, 15 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
Title SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer
Weaknesses CWE-789
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Svelte Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T19:06:13.528Z

Reserved: 2026-01-09T22:50:10.287Z

Link: CVE-2026-22803

cve-icon Vulnrichment

Updated: 2026-01-15T19:06:10.859Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T19:16:06.120

Modified: 2026-01-21T20:34:46.277

Link: CVE-2026-22803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses