SvelteKit Memory Exhaustion Vulnerability in Remote Functions

A denial-of-service vulnerability has been identified in SvelteKit versions 2.49.0 through 2.49.4. The issue arises in the experimental form remote function, which uses a binary data format to represent submitted form data. An attacker can exploit this vulnerability by sending a specially-crafted payload that causes the server to allocate excessive memory, leading to memory exhaustion. This vulnerability affects SvelteKit applications with experimental remote functions enabled that expose a reachable Remote Form endpoint.

Impact

Exploitation of this vulnerability can cause memory exhaustion on the server, potentially leading to a denial-of-service condition where the application becomes unresponsive or unavailable.

Reproduction

To reproduce this vulnerability, send a request to a SvelteKit Remote Form endpoint with the 'Content-Type' header set to 'application/x-sveltekit-formdata'. Include a payload that specifies a large data length in the header, but only send a small amount of actual data. Stall the connection after sending the header to keep the allocated memory from being released, causing memory exhaustion on the server.

Remediation

Users can upgrade to SvelteKit version 2.49.5, where this vulnerability has been fixed.