Summary
Versions of SvelteKit are vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions.
Details
Affected versions from 2.44.0 onwards are vulnerable to DoS if:
- your app has at least one prerendered route (
export const prerender = true)
Affected versions from 2.19.0 onwards are vulnerable to DoS and SSRF if:
- your app has at least one prerendered route (
export const prerender = true) - AND you are using
adapter-nodewithout a configuredORIGINenvironment variable, and you are not using a reverse proxy that implements Host header validation
Credits
Impact
The DoS causes the running server process to end.
The SSRF allows access to internal services that can be reached without authentication when fetched from SvelteKit's server runtime.
It is also possible to obtain an SXSS via cache poisoning, by forcing a potential CDN to cache an XSS returned by the attacker's server (the latter being able to specify the cache-control of their choice).
Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
@sveltejs/kit to 2.49.5 or later; @sveltejs/adapter-node to 5.5.1 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-67647? CVE-2025-67647 is a high-severity uncontrolled resource consumption vulnerability in @sveltejs/kit (npm), affecting versions >= 2.19.0, <= 2.49.4. It is fixed in 2.49.5, 5.5.1. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
- Which packages are affected by CVE-2025-67647?
@sveltejs/kit(npm) (versions >= 2.19.0, <= 2.49.4)@sveltejs/adapter-node(npm) (versions >= 5.4.1, <= 5.5.0)
- Is there a fix for CVE-2025-67647? Yes. CVE-2025-67647 is fixed in 2.49.5, 5.5.1. Upgrade to this version or later.
- Is CVE-2025-67647 exploitable, and should I be worried? Whether CVE-2025-67647 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-67647 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-67647?
- Upgrade
@sveltejs/kitto 2.49.5 or later - Upgrade
@sveltejs/adapter-nodeto 5.5.1 or later
- Upgrade