Platform
nodejs
Component
@sveltejs/kit
Fixed in
2.19.1
2.49.5
CVE-2025-67647 is a server-side request forgery (SSRF) and denial-of-service (DoS) vulnerability affecting @sveltejs/kit. This vulnerability arises when applications utilize prerendered routes (export const prerender = true) and the adapter-node without a properly configured ORIGIN environment variable, or a reverse proxy implementing HSTS. The vulnerability impacts versions 2.19.0 and later, with DoS specifically affecting versions 2.44.0 and later. A fix is available in version 2.49.5.
An attacker can exploit this SSRF vulnerability to make arbitrary requests from the server, potentially accessing internal resources or interacting with external services on behalf of the application. This could lead to data exfiltration, unauthorized access to sensitive systems, or even remote code execution if the targeted internal services are vulnerable. The DoS component allows an attacker to exhaust server resources by triggering excessive requests, leading to application unavailability. The lack of an ORIGIN environment variable in adapter-node configurations significantly increases the risk, as it allows the server to make requests to any domain without restriction. This vulnerability shares similarities with other SSRF exploits where attackers leverage server-side processes to bypass security controls and access restricted resources.
This vulnerability was publicly disclosed on 2026-01-15. The CVSS score of 7.5 (HIGH) indicates a significant risk. Currently, there are no known active exploitation campaigns targeting this vulnerability, but the availability of a public proof-of-concept could change this. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The primary mitigation for CVE-2025-67647 is to upgrade to @sveltejs/kit version 2.49.5 or later. If upgrading is not immediately feasible, configure the ORIGIN environment variable for adapter-node to restrict the domains the server can make requests to. Alternatively, implement a reverse proxy that enforces HSTS (HTTP Strict Transport Security) to prevent man-in-the-middle attacks and further limit the scope of potential SSRF exploitation. Review your application's prerendering configuration and ensure that only trusted routes are prerendered. After upgrading, confirm the fix by attempting to trigger a request to an internal or external resource that was previously accessible and verifying that the request is now blocked or redirected.
Update SvelteKit to version 2.49.5 or higher. This will address the denial of service (DoS) and potential server side request forgery (SSRF) vulnerability. If you cannot update immediately, review your adapter-node configuration and ensure you have an ORIGIN environment variable configured or a reverse proxy that validates the Host header.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67647 is a server-side request forgery (SSRF) and denial-of-service (DoS) vulnerability affecting @sveltejs/kit versions 2.19.0 - 2.49.4, allowing attackers to make unauthorized requests.
You are affected if you are using @sveltejs/kit versions 2.19.0 through 2.49.4 and have prerendered routes with adapter-node and a missing ORIGIN environment variable.
Upgrade to @sveltejs/kit version 2.49.5 or later. Alternatively, configure the ORIGIN environment variable for adapter-node or implement a reverse proxy with HSTS.
Currently, there are no known active exploitation campaigns targeting this vulnerability, but a public proof-of-concept exists.
Refer to the official @sveltejs/kit security advisory for detailed information and updates: [https://kit.svelte.dev/docs/security](https://kit.svelte.dev/docs/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.