Update dependency @sveltejs/kit to v2.49.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sveltejs/kit (source)	2.49.4 → 2.49.5

GitHub Vulnerability Alerts

CVE-2026-22803

Summary

The experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion.

Details

When a form is submitted to a remote function endpoint, the SvelteKit client encodes the data using a custom format, and POSTs it to the endpoint as a request with an application/x-sveltekit-formdata content type.

The first few bytes of the request body encode the length of the data. SvelteKit will attempt to read the request body up until the specified offset, but if the body is not yet available then an array buffer of that size will be created eagerly to accommodate it as it arrives.

An attacker can force this code path by sending a small payload that specifies a large data length, then stalling the connection. The resulting array buffer will be held in memory, potentially causing memory exhaustion.

Impact

• Vulnerability type: Availability / memory exhaustion (memory amplification).
• Who is impacted: SvelteKit apps with experimental.remoteFunctions enabled, and that expose a reachable Remote Form endpoint.
• Attack: an unauthenticated attacker can repeatedly open connections, send only the 8-byte header/prefix (with large data_length), and stall the body to hold large allocations, exhausting memory.

CVE-2025-67647

Summary

Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.

Details

Affected versions from 2.44.0 onwards are vulnerable to DoS if:

• your app has at least one prerendered route (export const prerender = true)

Affected versions from 2.19.0 onwards are vulnerable to DoS and SSRF if:

• your app has at least one prerendered route (export const prerender = true)
• AND you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation

Impact

The DoS causes the running server process to end.

The SSRF allows access to internal services that can be reached without authentication when fetched from SvelteKit's server runtime.

It is also possible to obtain an SXSS via cache poisoning, by forcing a potential CDN to cache an XSS returned by the attacker's server (the latter being able to specify the cache-control of their choice).

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo)
• d-xuan (wednesday)

---

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.49.5

Compare Source

Patch Changes

• fix: avoid overriding Vite default base when running Vitest 4 (#​14866)

• fix: ensure url decoded pathnames are not mistaken as rerouted requests (d9ae9b0)

• fix: add length checks to remote forms (8ed8155)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.