{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22803", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.287Z", "datePublished": "2026-01-15T18:37:57.831Z", "dateUpdated": "2026-01-15T19:06:13.528Z"}, "containers": {"cna": {"title": "SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46"}, {"name": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5"}, {"name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1"}], "affected": [{"vendor": "sveltejs", "product": "kit", "versions": [{"version": ">= 2.49.0, < 2.49.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T18:37:57.831Z"}, "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5."}], "source": {"advisory": "GHSA-j2f3-wq62-6q46", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T19:06:02.781041Z", "id": "CVE-2026-22803", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T19:06:13.528Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22803", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-15T19:06:02.781041Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T19:06:10.859Z"}}], "cna": {"title": "SvelteKit has a memory amplification DoS in Remote Functions binary form deserializer", "source": {"advisory": "GHSA-j2f3-wq62-6q46", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "sveltejs", "product": "kit", "versions": [{"status": "affected", "version": ">= 2.49.0, < 2.49.5"}]}], "references": [{"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46", "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5", "name": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1", "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T18:37:57.831Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22803", "state": "PUBLISHED", "dateUpdated": "2026-01-15T19:06:13.528Z", "dateReserved": "2026-01-09T22:50:10.287Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-15T18:37:57.831Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B5934633-0268-4EE3-9659-8C502C327D41", "versionEndExcluding": "2.49.5", "versionStartIncluding": "2.49.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5."}], "id": "CVE-2026-22803", "lastModified": "2026-01-21T20:34:46.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-15T19:16:06.120", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:03:54.237112+00:00", "value": {"mitigation_remediation": ["Apply the patch by upgrading SvelteKit to version 2.49.5 or later, which removes the binary deserializer flaw.", "If an upgrade cannot be performed immediately, disable or remove the experimental form remote function feature until the vulnerability is fixed, to eliminate the attack surface.", "As an additional safeguard, configure the server to enforce strict limits on inbound request body sizes or overall memory usage, reducing the chance of successful memory amplification.", "Monitor application logs and network traffic for unusually large payloads, and enforce rate limiting on the affected endpoints if possible."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "Vulnerable releases of the SvelteKit framework, specifically versions 2.49.0, 2.49.1, 2.49.2, 2.49.3, and 2.49.4, built with Node.js and used in web applications by developers specifying adapter-node. No other product versions are mentioned as affected.", "description_and_impact": "SvelteKit\u2019s experimental form remote function, used from versions 2.49.0 through 2.49.4, deserializes binary data that represents submitted form data. A specially crafted payload can trigger the server to allocate a large volume of memory, leading to a denial\u2011of\u2011service through memory exhaustion. The weakness corresponds to uncontrolled or arbitrary resource consumption (CWE\u2011770) and inappropriate input handling (CWE\u2011789).", "risk_and_exploitability": "The vulnerability receives a CVSS score of 8.2, indicating high severity. The EPSS score is below 1\u202f%, suggesting a low but nonzero probability of exploitation at present, and it is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be a network\u2011bound HTTP request to a remote function endpoint, which accepts a binary payload, enabling an attacker to trigger memory exhaustion from a remote location."}}}}, "created": "2026-01-16T13:42:49.991438+00:00", "updated": "2026-04-18T06:15:15.862771+00:00", "vendors": ["svelte", "svelte$PRODUCT$kit"]}