@sveltejs/kit is vulnerable to Cross-Site Request Forgery (CSRF). Malicious requests can be submitted from third-party domains, which allows an attacker to execute operations within the victim’s session via bypassing CSRF protection by specifying a Content-Type
header value such as text/plain
, possibly leading to unauthorized access to user accounts.