SvelteKit Server-Side Request Forgery and Denial-of-Service Vulnerability

A vulnerability in SvelteKit prior to version 2.49.5 allows for server-side request forgery (SSRF) and denial-of-service (DoS) under certain conditions. The DoS occurs when an application has at least one prerendered route and is using adapter-node without a configured ORIGIN environment variable, and not using a reverse proxy that validates Host headers. The SSRF aspect allows access to internal services that don't require authentication, potentially leading to cache poisoning attacks that could exploit cross-site scripting vulnerabilities.

Impact

Exploitation of this vulnerability causes the server process to terminate, leading to a denial-of-service condition. The SSRF component allows unauthorized access to internal services, which could be exploited to fetch sensitive data or interact with internal applications. Additionally, according to the advisory, it is possible to obtain a cross-site scripting vulnerability via cache poisoning, by forcing a CDN to cache a response containing XSS from the attacker's server.

Remediation

Users can upgrade to SvelteKit version 2.49.5 or later to address this vulnerability. For those using the SvelteKit adapter for Node, version 5.5.1 is available to patch the issue.