CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
17.0%
In SvelteKit 2 sending a GET request with a body eg {}
to a SvelteKit app in preview or with adapter-node
throws Request with GET/HEAD method cannot have body.
and crashes the app.
node:internal/deps/undici/undici:6066
throw new TypeError("Request with GET/HEAD method cannot have body.");
^
TypeError: Request with GET/HEAD method cannot have body.
at new Request (node:internal/deps/undici/undici:6066:17)
at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:172:6
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:211:27
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
Node.js v20.11.0
TRACE
requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.
First do a fresh install of SvelteKit 2 with the example app. Typescript.
npm run build
npm run preview
Denial of Service for apps using adapter-node
Vendor | Product | Version | CPE |
---|---|---|---|
sveltejs | adapter-node | 4.0.0 | cpe:2.3:a:sveltejs:adapter-node:4.0.0:*:*:*:*:*:*:* |
sveltejs | adapter-node | * | cpe:2.3:a:sveltejs:adapter-node:*:*:*:*:*:*:*:* |
sveltejs | kit | * | cpe:2.3:a:sveltejs:kit:*:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
17.0%