Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.7
SvelteKit form handling can cause Denial of Service
GHSA-fpg4-jhqr-589c
Summary
If you're using SvelteKit's experimental remote functions with form handling, and not checking file sizes, an attacker could send a small input that causes a large file array, potentially overwhelming your system. This could lead to a Denial of Service, making your site unavailable. To avoid this, ensure you validate file sizes in your SvelteKit application code.
What to do
- Update sveltejs kit to version 2.53.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| sveltejs | kit | > 2.49.0 , <= 2.53.2 | 2.53.3 |
Original title
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)
Original description
Some relatively small inputs can cause very large files arrays in `form` handlers. If the SvelteKit application code doesn't check `files.length` or individual files' sizes and performs expensive processing with them, it can result in Denial of Service.
Only users with `experimental.remoteFunctions: true` who are using the `form` function and are processing the `files` array without validation are vulnerable.
Only users with `experimental.remoteFunctions: true` who are using the `form` function and are processing the `files` array without validation are vulnerable.
ghsa CVSS4.0
1.7
Vulnerability type
CWE-770
Allocation of Resources Without Limits
Published: 28 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026