Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure
Action: Patch Now
AI Analysis

Impact

The vulnerability is a cache poisoning flaw in the SvelteKit Vercel adapter with versions prior to 6.3.2. An internal query parameter used by Incremental Static Regeneration can be accessed on any route, allowing an attacker to instruct the system to cache responses that contain user‑specific content. When a victim who is authenticated follows a malicious link, the crafted request can cause the private response to be cached and subsequently served to other users, leading to a confidentiality breach. This flaw is classified as CWE‑346, reflecting a broken object‑level authorization that permits unauthorized access to sensitive data.

Affected Systems

The flaw affects applications built with SvelteKit that use the @sveltejs/adapter-vercel package older than version 6.3.2. Any deployment of such an app on Vercel, or similar hosting environments where the internal query parameter is exposed, is at risk until the upgrade to the fixed version is applied.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is below 1 %, meaning the probability of exploitation is low but not negligible. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires the victim to be authenticated and to click on a specially crafted link that includes the internal query parameter. Host‑level protection such as Vercel's WAF can block the request, so existing deployments are currently shielded by that mechanism, but the issue remains unresolved if the app can be accessed without that WAF protection.

Generated by OpenCVE AI on April 18, 2026 at 11:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the @sveltejs/adapter-vercel package to version 6.3.2 or later.
  • If an immediate upgrade is not possible, add application middleware that rejects or ignores requests containing the internal ISR query parameter to prevent cache poisoning.
  • Ensure that the deployment environment has Vercel's WAF enabled or implement an equivalent WAF rule to block request paths that use the internal query parameter.

Generated by OpenCVE AI on April 18, 2026 at 11:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9pq4-5hcf-288c Cache poisoning in @sveltejs/adapter-vercel
History

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte kit
Vendors & Products Svelte
Svelte kit

Fri, 20 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.
Title Cache poisoning in @sveltejs/adapter-vercel
Weaknesses CWE-346
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Svelte Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:42:11.028Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27118

cve-icon Vulnrichment

Updated: 2026-02-24T18:42:01.436Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T22:16:29.673

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27118

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses