प्लेटफ़ॉर्म
nodejs
घटक
@sveltejs/kit
में ठीक किया गया
2.19.1
2.49.5
CVE-2025-67647 is a server-side request forgery (SSRF) and denial-of-service (DoS) vulnerability affecting @sveltejs/kit. This vulnerability arises when applications utilize prerendered routes (export const prerender = true) and the adapter-node without a properly configured ORIGIN environment variable, or a reverse proxy implementing HSTS. The vulnerability impacts versions 2.19.0 and later, with DoS specifically affecting versions 2.44.0 and later. A fix is available in version 2.49.5.
An attacker can exploit this SSRF vulnerability to make arbitrary requests from the server, potentially accessing internal resources or interacting with external services on behalf of the application. This could lead to data exfiltration, unauthorized access to sensitive systems, or even remote code execution if the targeted internal services are vulnerable. The DoS component allows an attacker to exhaust server resources by triggering excessive requests, leading to application unavailability. The lack of an ORIGIN environment variable in adapter-node configurations significantly increases the risk, as it allows the server to make requests to any domain without restriction. This vulnerability shares similarities with other SSRF exploits where attackers leverage server-side processes to bypass security controls and access restricted resources.
This vulnerability was publicly disclosed on 2026-01-15. The CVSS score of 7.5 (HIGH) indicates a significant risk. Currently, there are no known active exploitation campaigns targeting this vulnerability, but the availability of a public proof-of-concept could change this. It is not listed on the CISA KEV catalog at the time of writing.
Applications built with @sveltejs/kit that utilize prerendered routes and the adapter-node are at risk, particularly those lacking a configured ORIGIN environment variable or a reverse proxy with HSTS. Shared hosting environments where users have limited control over server configuration are also particularly vulnerable.
• nodejs / server:
ps aux | grep sveltekit• nodejs / server:
find / -name 'svelte.config.js' -print• nodejs / server:
grep -r 'export const prerender = true' . • nodejs / server:
Check environment variables for ORIGIN in your deployment environment. Use env | grep ORIGIN.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (5% शतमक)
CISA SSVC
The primary mitigation for CVE-2025-67647 is to upgrade to @sveltejs/kit version 2.49.5 or later. If upgrading is not immediately feasible, configure the ORIGIN environment variable for adapter-node to restrict the domains the server can make requests to. Alternatively, implement a reverse proxy that enforces HSTS (HTTP Strict Transport Security) to prevent man-in-the-middle attacks and further limit the scope of potential SSRF exploitation. Review your application's prerendering configuration and ensure that only trusted routes are prerendered. After upgrading, confirm the fix by attempting to trigger a request to an internal or external resource that was previously accessible and verifying that the request is now blocked or redirected.
SvelteKit को संस्करण 2.49.5 या उच्चतर में अपडेट करें। यह डिनायल ऑफ़ सर्विस (DoS) भेद्यता और संभावित सर्वर साइड रिक्वेस्ट फोर्जरी (SSRF) को ठीक कर देगा। यदि आप तुरंत अपडेट नहीं कर सकते हैं, तो अपने adapter-node कॉन्फ़िगरेशन की समीक्षा करें और सुनिश्चित करें कि आपके पास एक ORIGIN पर्यावरण चर कॉन्फ़िगर किया गया है या एक रिवर्स प्रॉक्सी जो Host हेडर को मान्य करता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-67647 is a server-side request forgery (SSRF) and denial-of-service (DoS) vulnerability affecting @sveltejs/kit versions 2.19.0 - 2.49.4, allowing attackers to make unauthorized requests.
You are affected if you are using @sveltejs/kit versions 2.19.0 through 2.49.4 and have prerendered routes with adapter-node and a missing ORIGIN environment variable.
Upgrade to @sveltejs/kit version 2.49.5 or later. Alternatively, configure the ORIGIN environment variable for adapter-node or implement a reverse proxy with HSTS.
Currently, there are no known active exploitation campaigns targeting this vulnerability, but a public proof-of-concept exists.
Refer to the official @sveltejs/kit security advisory for detailed information and updates: [https://kit.svelte.dev/docs/security](https://kit.svelte.dev/docs/security)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।