The Svelte team has released emergency patches addressing five security vulnerabilities affecting devalue, svelte, @sveltejs/kit, and @sveltejs/adapter-node packages, including multiple denial-of-service flaws and an XSS vulnerability requiring immediate upgrades.
The Svelte framework ecosystem is addressing significant security concerns with patches released for five vulnerabilities across critical packages. Developers using Svelte, SvelteKit, or related tooling must upgrade immediately to prevent potential denial-of-service attacks, server-side request forgery, and cross-site scripting exploits.
Critical Upgrades Required
- devalue: Upgrade to v5.6.2
- svelte: Upgrade to v5.46.4
- @sveltejs/kit: Upgrade to v2.49.5
- @sveltejs/adapter-node: Upgrade to v5.5.1
Patched versions automatically resolve cross-dependency issues, particularly for svelte and @sveltejs/kit which rely on devalue. The vulnerabilities were discovered through coordinated disclosure with security researchers and Vercel's security team.
Vulnerability Breakdown
CVE-2026-22775 & CVE-2026-22774: devalue DoS Vulnerabilities
- Affects: devalue v5.1.0-5.6.1
- Trigger: Parsing user-controlled input
- Impact: Malicious payloads cause uncontrolled memory/CPU allocation leading to process crashes
- SvelteKit Exposure: Only affects projects with experimental remote functions enabled
CVE-2026-22803: Remote Functions Memory Amplification
- Affects: @sveltejs/kit v2.49.0-2.49.4
- Requirements: Experimental remote functions flag enabled + form submissions
- Impact: Specially crafted requests cause memory exhaustion and application hangs
CVE-2025-67647: Prerendering DoS/SSRF Vulnerability
- Affects:
- @sveltejs/kit v2.19.0-2.49.4
- @sveltejs/adapter-node
- DoS Trigger: Prerendered routes present
- SSRF Trigger: Missing ORIGIN environment variable + no reverse proxy host validation
- Impact:
- Server process termination
- Potential internal network access
- Cache poisoning leading to stored XSS
CVE-2025-15265: Hydratable XSS Vulnerability
- Affects: svelte v5.46.0-5.46.3
- Trigger: Unsanitized user-controlled strings passed as keys in hydratable components
- Impact: Cross-site scripting execution on client devices
Ecosystem Implications
This vulnerability cluster follows recent security incidents across web development tools, highlighting shared challenges in dependency management. The Svelte team plans to implement improved code review processes to catch similar issues earlier. Notably, three vulnerabilities required specific experimental features (remote functions) or misconfigurations, underscoring the security trade-offs of cutting-edge functionality.
For vulnerability discovery, the team directs reports to GitHub's Security tab on relevant repositories (SvelteKit, Svelte). Full advisories are accessible via the Svelte security page.
Comments
Please log in or register to join the discussion