CVE-2025-67647

Published Jan 15, 2026

Last updated 15 hours ago

CVSS high 8.4

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-67647 is a vulnerability affecting the Svelte ecosystem, specifically the `@sveltejs/kit` and `@sveltejs/adapter-node` packages. This flaw can lead to a denial of service (DoS) and, under certain conditions, a Server-Side Request Forgery (SSRF) when prerendering is utilized. Users are susceptible to a denial of service if they are running `@sveltejs/kit` versions 2.44.0 through 2.49.4 and their application includes at least one prerendered route. The vulnerability extends to both DoS and SSRF if `@sveltejs/kit` versions 2.19.0 through 2.49.4 are in use, the app has a prerendered route, and `@sveltejs/adapter-node` is deployed without a configured `ORIGIN` environment variable or a reverse proxy with Host header validation.

Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.4
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-248

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

10

  1. Happy to publish our first research of the year on the SvelteKit framework, downloaded over 800,000 times per week, which led to CVE-2025-67647 (w/@inzo____): Avoiding the paradox: A native full-read SSRF and one‑shot DoS in SvelteKit https://t.co/ZhWSK6Ugp3 Enjoy the read

    @zhero___

    16 Jan 2026

    5406 Impressions

    32 Retweets

    180 Likes

    74 Bookmarks

    5 Replies

    0 Quotes

  2. CVE-2025-67647 SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request fo… https://t.co/jEqek1bwAy

    @CVEnew

    15 Jan 2026

    97 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.