Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
SvelteKit CPU Exhaustion with Remote Forms Can Cause Server Crash
GHSA-88qp-p4qg-rqm6
Summary
If you use SvelteKit and remote forms with the experimental feature enabled, an attacker can send malicious data that makes your server become unresponsive. This can happen when processing a form submission, leading to a denial of service. Update SvelteKit to version 2.52.2 or later to prevent this issue.
What to do
- Update sveltejs kit to version 2.52.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| sveltejs | kit | > 2.49.0 , <= 2.52.1 | 2.52.2 |
Original title
CPU exhaustion in SvelteKit remote form deserialization (experimental only)
Original description
Versions of `@sveltejs/kit` prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service.
Only applications using both `experimental.remoteFunctions` and `form` are vulnerable.
Only applications using both `experimental.remoteFunctions` and `form` are vulnerable.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-843
Type Confusion
Published: 19 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026