CVEs affecting the Svelte ecosystem
The Svelte team has announced the release of critical security patches addressing five distinct vulnerabilities (CVEs) affecting the broader Svelte ecosystem, including svelte, @sveltejs/kit, @sveltejs/adapter-node, and the devalue library. These vulnerabilities primarily involve Denial of Service (DoS) risks due to memory and CPU exhaustion when parsing malicious user-controlled input, as well as potential Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) via hydration mechanisms. Developers are strongly urged to update to the latest versions, specifically devalue 5.6.2, svelte 5.46.4, @sveltejs/kit 2.49.5, and @sveltejs/adapter-node 5.5.1, as these fixes mitigate severe threats that could crash server processes or expose internal resources. The team expressed appreciation for the responsible disclosures from security researchers and emphasized their commitment to enhancing future code review processes to prevent similar bugs.
Summaries are AI-generated to help you scan faster. Open the original source for full context.