CVE-2024-23641

Published: Jan 24, 2024

Modified: Nov 13, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue.

Vendor	Product	Versions
sveltejs	kit	affected `>= 2.0.0, < 2.4.3` affected `>= 2.0.0, < 2.1.2` affected `>= 3.0.0, < 3.0.3` affected `= 4.0.0`

Weaknesses (CWE)

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49

x_refsource_CONFIRM

https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-23641

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References