CVE-2025-67647

Опубликовано: 15 янв. 2026

Источник: nvd

CVSS3: 9.1

EPSS Низкий

Описание

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:svelte:adapter-node:*:*:*:*:*:node.js:*:*

Версия от 5.4.1 (включая) до 5.5.1 (исключая)

cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:*

Версия от 2.19.0 (включая) до 2.49.5 (исключая)

EPSS

Процентиль: 4%

0.00018

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-248

CWE-918

Связанные уязвимости

GHSA-j62c-4x62-9r35

github

23 дня назад

SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering