Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-g5m6-hxpp-fc49

Опубликовано: 24 янв. 2024
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

Sending a GET or HEAD request with a body crashes SvelteKit

Summary

In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.

node:internal/deps/undici/undici:6066 throw new TypeError("Request with GET/HEAD method cannot have body."); ^ TypeError: Request with GET/HEAD method cannot have body. at new Request (node:internal/deps/undici/undici:6066:17) at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9) at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26 at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7) at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5) at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:172:6 at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7) at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5) at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:211:27 at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7) Node.js v20.11.0

TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

PoC

First do a fresh install of SvelteKit 2 with the example app. Typescript.

  1. npm run build
  2. npm run preview
  3. Go to http://localhost:4173 (works)
  4. curl -X GET -d "{}" http://localhost:4173/bye
  5. Application crashes and http://localhost:4173 is down

Impact

Denial of Service for apps using adapter-node

Ссылки

Пакеты

Наименование

@sveltejs/kit

npm
Затронутые версииВерсия исправления

>= 2.0.0, < 2.4.3

2.4.3

Наименование

@sveltejs/adapter-node

npm
Затронутые версииВерсия исправления

>= 2.0.0, < 2.1.2

2.1.2

Наименование

@sveltejs/adapter-node

npm
Затронутые версииВерсия исправления

>= 3.0.0, < 3.0.3

3.0.3

Наименование

@sveltejs/adapter-node

npm
Затронутые версииВерсия исправления

= 4.0.0

4.0.1

EPSS

Процентиль: 49%
0.00263
Низкий

7.5 High

CVSS3

CVE ID

CVE-2024-23641

Дефекты

CWE-20

Связанные уязвимости

nvd логотип

CVE-2024-23641

CVSS3: 7.5
nvd
около 2 лет назад

SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue.

EPSS

Процентиль: 49%
0.00263
Низкий

7.5 High

CVSS3

CVE ID

CVE-2024-23641

Дефекты

CWE-20