Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.6
SvelteKit remote forms can crash server with malicious data
GHSA-vrhm-gvg7-fpcf
Summary
If you're using SvelteKit's experimental remote forms, a malicious form submission could crash your server. This only affects projects using both remote functions and forms, and can be fixed by updating to version 2.52.2 or later.
What to do
- Update sveltejs kit to version 2.52.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| sveltejs | kit | > 2.49.0 , <= 2.52.1 | 2.52.2 |
Original title
Memory exhaustion in SvelteKit remote form deserialization (experimental only)
Original description
Versions of `@sveltejs/kit` prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service.
Only applications using both `experimental.remoteFunctions` and `form` are vulnerable.
Only applications using both `experimental.remoteFunctions` and `form` are vulnerable.
ghsa CVSS4.0
4.6
Vulnerability type
CWE-770
Allocation of Resources Without Limits
Published: 19 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026