Plattform
nodejs
Komponente
@sveltejs/kit
Behoben in
2.19.1
2.49.5
CVE-2025-67647 is a server-side request forgery (SSRF) and denial-of-service (DoS) vulnerability affecting @sveltejs/kit. This vulnerability arises when applications utilize prerendered routes (export const prerender = true) and the adapter-node without a properly configured ORIGIN environment variable, or a reverse proxy implementing HSTS. The vulnerability impacts versions 2.19.0 and later, with DoS specifically affecting versions 2.44.0 and later. A fix is available in version 2.49.5.
An attacker can exploit this SSRF vulnerability to make arbitrary requests from the server, potentially accessing internal resources or interacting with external services on behalf of the application. This could lead to data exfiltration, unauthorized access to sensitive systems, or even remote code execution if the targeted internal services are vulnerable. The DoS component allows an attacker to exhaust server resources by triggering excessive requests, leading to application unavailability. The lack of an ORIGIN environment variable in adapter-node configurations significantly increases the risk, as it allows the server to make requests to any domain without restriction. This vulnerability shares similarities with other SSRF exploits where attackers leverage server-side processes to bypass security controls and access restricted resources.
This vulnerability was publicly disclosed on 2026-01-15. The CVSS score of 7.5 (HIGH) indicates a significant risk. Currently, there are no known active exploitation campaigns targeting this vulnerability, but the availability of a public proof-of-concept could change this. It is not listed on the CISA KEV catalog at the time of writing.
Applications built with @sveltejs/kit that utilize prerendered routes and the adapter-node are at risk, particularly those lacking a configured ORIGIN environment variable or a reverse proxy with HSTS. Shared hosting environments where users have limited control over server configuration are also particularly vulnerable.
• nodejs / server:
ps aux | grep sveltekit• nodejs / server:
find / -name 'svelte.config.js' -print• nodejs / server:
grep -r 'export const prerender = true' . • nodejs / server:
Check environment variables for ORIGIN in your deployment environment. Use env | grep ORIGIN.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-67647 is to upgrade to @sveltejs/kit version 2.49.5 or later. If upgrading is not immediately feasible, configure the ORIGIN environment variable for adapter-node to restrict the domains the server can make requests to. Alternatively, implement a reverse proxy that enforces HSTS (HTTP Strict Transport Security) to prevent man-in-the-middle attacks and further limit the scope of potential SSRF exploitation. Review your application's prerendering configuration and ensure that only trusted routes are prerendered. After upgrading, confirm the fix by attempting to trigger a request to an internal or external resource that was previously accessible and verifying that the request is now blocked or redirected.
Aktualisieren Sie SvelteKit auf Version 2.49.5 oder höher. Dies behebt die Denial of Service (DoS) und die mögliche Server Side Request Forgery (SSRF) Schwachstelle. Wenn Sie nicht sofort aktualisieren können, überprüfen Sie die Konfiguration Ihres adapter-node und stellen Sie sicher, dass Sie eine ORIGIN Umgebungsvariable konfiguriert haben oder einen Reverse Proxy verwenden, der den Host Header validiert.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-67647 is a server-side request forgery (SSRF) and denial-of-service (DoS) vulnerability affecting @sveltejs/kit versions 2.19.0 - 2.49.4, allowing attackers to make unauthorized requests.
You are affected if you are using @sveltejs/kit versions 2.19.0 through 2.49.4 and have prerendered routes with adapter-node and a missing ORIGIN environment variable.
Upgrade to @sveltejs/kit version 2.49.5 or later. Alternatively, configure the ORIGIN environment variable for adapter-node or implement a reverse proxy with HSTS.
Currently, there are no known active exploitation campaigns targeting this vulnerability, but a public proof-of-concept exists.
Refer to the official @sveltejs/kit security advisory for detailed information and updates: [https://kit.svelte.dev/docs/security](https://kit.svelte.dev/docs/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.