影响 Svelte 生态系统的 CVE

影响 Svelte 生态系统的 CVE
CVEs affecting the Svelte ecosystem

原始链接: https://svelte.dev/blog/cves-affecting-the-svelte-ecosystem

## Svelte 安全更新 - 紧急升级所需 **devalue**、**svelte**、**@sveltejs/kit** 和 **@sveltejs/adapter-node** 中发现并已修复了多个漏洞。**立即升级至关重要**： * **devalue:** 5.6.2 * **svelte:** 5.46.4 * **@sveltejs/kit:** 2.49.5 * **@sveltejs/adapter-node:** 5.5.1 这些修复解决了多个拒绝服务 (DoS) 漏洞，包括 `devalue.parse` 中的潜在内存耗尽问题 (CVE-2026-22775 & CVE-2026-22774)，尤其影响使用远程函数的 SvelteKit 应用程序。启用 `experimental.remoteFunctions` 标志的远程函数存在内存放大 DoS (CVE-2026-22803)。此外，使用旧版本的 `@sveltejs/kit` 和 `@sveltejs/adapter-node` 的具有预渲染路由的应用程序受到 DoS 和潜在的服务器端请求伪造 (SSRF) 漏洞的影响 (CVE-2025-67647)。最后，在使用未经过清理的输入时，使用 `hydratable` 会存在跨站脚本 (XSS) 漏洞 (CVE-2025-15265)。 Svelte 团队感谢安全研究人员的负责任披露，并正在投资改进漏洞预防流程。请通过相关仓库的安全选项卡私下报告任何潜在漏洞。

## Svelte 生态系统 CVE 总结最近一篇 Hacker News 帖子详细介绍了几个影响 Svelte 生态系统的常见漏洞和暴露 (CVE)，主要在 `devalue` 库和 SvelteKit 中。这些漏洞主要集中在拒绝服务 (DoS) 攻击上，并发现了一个跨站脚本 (XSS) 问题。具体来说，多个 CVE (2026-22775, 2026-22774, 2026-22803) 与 `devalue.parse` 中的内存/CPU 耗尽有关，尤其影响使用远程函数应用程序。另一个 CVE (2025-67647) 暴露了预渲染期间潜在的服务器端请求伪造 (SSRF) 和 DoS 风险。最后，CVE-2025-15265 详细说明了通过 `hydratable` 功能造成的 XSS 漏洞。值得注意的是，该帖子澄清这些 CVE 的严重程度低于最近的 React Server Components 漏洞，后者允许远程代码执行 (RCE)。*不*使用远程函数的用户，对其中几个已识别的问题的脆弱性较低。

原文

We’ve released patches for 5 vulnerabilities across devalue, svelte, @sveltejs/kit, and @sveltejs/adapter-node. Here’s what you need to know:

Upgrade now

If you’re using any of these packages, upgrade them to their corresponding non-vulnerable versions:

devalue: 5.6.2
svelte: 5.46.4
@sveltejs/kit: 2.49.5
@sveltejs/adapter-node: 5.5.1

For cross-dependent packages — svelte and @sveltejs/kit depend on devalue — patched versions already include upgraded dependencies.

We’re extremely thankful to all of the security researchers who responsibly disclosed these vulnerabilities and worked with us to get them fixed, to the security team at Vercel who helped us navigate the disclosure process, and to the maintainers who worked to publish the fixes.

Over the last few weeks, we’ve seen a spate of high profile vulnerabilities affecting popular tools across the web development ecosystem. While they are unfortunate, it has been encouraging to see the community pulling together to keep end users safe. Using the lessons learned from these vulnerabilities, we will invest in processes that will help catch future bugs during the writing and review phases, before they go live.

If you think you have discovered a vulnerability in a package maintained by the Svelte team, we urge you to privately report it via the Security tab on the repo in question (or the Svelte repo, if unsure).

Details

Full reports are available in the published security advisories, but we’ve included a brief summary of each below.

CVE-2026-22775: DoS in devalue.parse due to memory/CPU exhaustion

Packages affected:

You’re affected if:

You’re using devalue versions 5.1.0 through 5.6.1, and
You’re parsing user-controlled input

Effects:

A malicious payload can cause arbitrarily large memory allocation, potentially crashing the process
SvelteKit applications using remote functions are vulnerable, as the parameters are run through devalue.parse
If you don’t have remote functions enabled, SvelteKit is not vulnerable

CVE-2026-22774: DoS in devalue.parse due to memory exhaustion

(Yes, this is very similar to the previous CVE. No, it is not the same!)

Packages affected:
You’re affected if:
- You’re using devalue versions 5.3.0 through 5.6.1, and
- You’re parsing user-controlled input
Effects:
- A malicious payload can cause arbitrarily large memory allocation, potentially crashing the process
- SvelteKit applications using remote functions are vulnerable, as the parameters are run through devalue.parse
- If you don’t have remote functions enabled, SvelteKit is not vulnerable

CVE-2026-22803: Memory amplification DoS in Remote Functions binary form deserializer

Packages affected:

You’re affected if:

You’re using SvelteKit versions 2.49.0 through 2.49.4, and
You’ve enabled the experimental.remoteFunctions flag, and
You’re using form

Effects:

Users can submit a malicious request that causes your application to hang and allocate arbitrarily-large amounts of memory

CVE-2025-67647: Denial of service and possible SSRF when using prerendering

Packages affected:

@sveltejs/kit
@sveltejs/adapter-node

You’re vulnerable to DoS if:

You’re using @sveltejs/kit versions 2.44.0 through 2.49.4, and
Your app has at least one prerendered route

You’re vulnerable to DoS and SSRF if:

You’ve using @sveltejs/kit versions 2.19.0 through 2.49.4, and
Your app has at least one prerendered route, and
You’re using @sveltejs/adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation

Effects:

DoS causes the server process to die
SSRF allows access to internal resources that can be reached without authentication from SvelteKit’s server runtime
If the stars align, it’s possible to obtain SXSS via cache poisoning by forcing a potential CDN to cache an XSS returned by the attacker’s server (the latter being able to specify the cache-control of their choice)

CVE-2025-15265: XSS via hydratable

Packages affected:

You’re vulnerable if:
- You’re using hydratable, and you’re passing unsanitized, user-controlled strings in as keys
Effects:
- Your users are vulnerable to XSS if an attacker can manage to get a controlled key into hydratable that is then returned to another user