CVE-2024-23641
📋 TL;DR
SvelteKit 2 applications crash when receiving GET or TRACE requests with a body, requiring manual restart. This affects SvelteKit 2 apps in preview or production hosting, but not prerendered pages or SvelteKit 1 apps. The vulnerability allows denial of service attacks.
💻 Affected Systems
- SvelteKit
- @sveltejs/adapter-node
📦 What is this software?
Kit by Svelte
⚠️ Risk & Real-World Impact
Worst Case
Attackers can repeatedly crash production applications, causing sustained downtime and requiring manual intervention to restore service.
Likely Case
Accidental or malicious GET/TRACE requests with bodies cause application crashes, resulting in temporary service disruption until manual restart.
If Mitigated
With proper request validation or patching, applications handle malformed requests gracefully without crashing.
🎯 Exploit Status
Exploitation requires sending simple HTTP requests. Proof of concept is available in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SvelteKit 2.4.3, @sveltejs/adapter-node 2.1.2/3.0.3/4.0.1
Vendor Advisory: https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49
Restart Required: Yes
Instructions:
1. Update @sveltejs/kit to version 2.4.3 or later. 2. Update @sveltejs/adapter-node to version 2.1.2, 3.0.3, or 4.0.1 depending on your major version. 3. Rebuild and redeploy your application.
🔧 Temporary Workarounds
Request validation middleware
allAdd middleware to reject GET/TRACE requests with bodies before they reach SvelteKit
Implement custom request validation in your server configuration or reverse proxy
Reverse proxy filtering
allConfigure reverse proxy (nginx, Apache, etc.) to block or strip bodies from GET/TRACE requests
Add configuration to your reverse proxy to handle GET/TRACE requests with bodies
🧯 If You Can't Patch
- Implement request validation at the edge (CDN, WAF, or reverse proxy) to reject GET/TRACE requests with bodies
- Monitor application logs for crash events and implement automated restart mechanisms
🔍 How to Verify
Check if Vulnerable:
Check package.json for @sveltejs/kit version <2.4.3 or @sveltejs/adapter-node version not matching patched versionsCheck Version:
npm list @sveltejs/kit @sveltejs/adapter-nodeVerify Fix Applied:
After updating, test by sending a GET request with a body to your application - it should not crash📡 Detection & Monitoring
Log Indicators:
- "Request with GET/HEAD method cannot have body" error messages
- Application crash/restart events
- Increased error rates for GET/TRACE requests
Network Indicators:
- GET or TRACE requests with Content-Length > 0 or request bodies
- Sudden drop in application availability
SIEM Query:
search 'Request with GET/HEAD method cannot have body' OR 'application crash' AND source='sveltekit'🔗 References
- https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9
- https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49
- https://github.com/sveltejs/kit/commit/af34142631c876a7eb62ff81f71e8a3f90dafee9
- https://github.com/sveltejs/kit/security/advisories/GHSA-g5m6-hxpp-fc49
