Hasty Briefsbeta

Bilingual

CVEs Affecting the Svelte Ecosystem

4 months ago
  • #Svelte
  • #vulnerabilities
  • #security
  • Patches released for 5 vulnerabilities in Svelte ecosystem packages: devalue, svelte, @sveltejs/kit, and @sveltejs/adapter-node.
  • Upgrade to non-vulnerable versions: devalue (5.6.2), svelte (5.46.4), @sveltejs/kit (2.49.5), @sveltejs/adapter-node (5.5.1).
  • CVE-2026-22775: DoS in devalue.parse due to memory/CPU exhaustion affecting devalue versions 5.1.0 through 5.6.1.
  • CVE-2026-22774: Similar DoS in devalue.parse affecting versions 5.3.0 through 5.6.1.
  • CVE-2026-22803: Memory amplification DoS in SvelteKit's remote functions affecting versions 2.49.0 through 2.49.4.
  • CVE-2025-67647: DoS and possible SSRF in prerendering affecting @sveltejs/kit and @sveltejs/adapter-node under specific conditions.
  • CVE-2025-15265: XSS via hydratable in svelte versions 2.46.0 through 2.46.3.
  • Encouragement to report vulnerabilities privately via the Security tab on relevant repos.
  • Community and security researchers thanked for responsible disclosure and collaboration.
About|Login