Vulnerability Details CVE-2025-67647
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.9%
CVSS Severity
CVSS v3 Score 9.1
References
Products affected by CVE-2025-67647
-
cpe:2.3:a:svelte:adapter-node:5.5.0
-
cpe:2.3:a:svelte:kit:2.19.0
-
cpe:2.3:a:svelte:kit:2.19.1
-
cpe:2.3:a:svelte:kit:2.19.2
-
cpe:2.3:a:svelte:kit:2.20.0
-
cpe:2.3:a:svelte:kit:2.20.1
-
cpe:2.3:a:svelte:kit:2.20.2
-
cpe:2.3:a:svelte:kit:2.20.3
-
cpe:2.3:a:svelte:kit:2.20.4
-
cpe:2.3:a:svelte:kit:2.20.5
-
cpe:2.3:a:svelte:kit:2.20.6
-
cpe:2.3:a:svelte:kit:2.20.7
-
cpe:2.3:a:svelte:kit:2.20.8
-
cpe:2.3:a:svelte:kit:2.21.0
-
cpe:2.3:a:svelte:kit:2.21.1
-
cpe:2.3:a:svelte:kit:2.21.2
-
cpe:2.3:a:svelte:kit:2.21.3
-
cpe:2.3:a:svelte:kit:2.21.4
-
cpe:2.3:a:svelte:kit:2.21.5
-
cpe:2.3:a:svelte:kit:2.22.0
-
cpe:2.3:a:svelte:kit:2.22.1
-
cpe:2.3:a:svelte:kit:2.22.2
-
cpe:2.3:a:svelte:kit:2.22.3
-
cpe:2.3:a:svelte:kit:2.22.4
-
cpe:2.3:a:svelte:kit:2.22.5
-
cpe:2.3:a:svelte:kit:2.23.0
-
cpe:2.3:a:svelte:kit:2.24.0
-
cpe:2.3:a:svelte:kit:2.25.0
-
cpe:2.3:a:svelte:kit:2.25.1
-
cpe:2.3:a:svelte:kit:2.25.2
-
cpe:2.3:a:svelte:kit:2.26.0
-
cpe:2.3:a:svelte:kit:2.26.1
-
cpe:2.3:a:svelte:kit:2.27.0
-
cpe:2.3:a:svelte:kit:2.27.1
-
cpe:2.3:a:svelte:kit:2.27.2
-
cpe:2.3:a:svelte:kit:2.27.3
-
cpe:2.3:a:svelte:kit:2.28.0
-
cpe:2.3:a:svelte:kit:2.29.0
-
cpe:2.3:a:svelte:kit:2.29.1
-
cpe:2.3:a:svelte:kit:2.30.0
-
cpe:2.3:a:svelte:kit:2.30.1
-
cpe:2.3:a:svelte:kit:2.31.0
-
cpe:2.3:a:svelte:kit:2.31.1
-
cpe:2.3:a:svelte:kit:2.32.0
-
cpe:2.3:a:svelte:kit:2.33.0
-
cpe:2.3:a:svelte:kit:2.33.1
-
cpe:2.3:a:svelte:kit:2.34.0
-
cpe:2.3:a:svelte:kit:2.34.1
-
cpe:2.3:a:svelte:kit:2.35.0
-
cpe:2.3:a:svelte:kit:2.36.0
-
cpe:2.3:a:svelte:kit:2.36.1
-
cpe:2.3:a:svelte:kit:2.36.2
-
cpe:2.3:a:svelte:kit:2.36.3
-
cpe:2.3:a:svelte:kit:2.37.0
-
cpe:2.3:a:svelte:kit:2.37.1
-
cpe:2.3:a:svelte:kit:2.38.0
-
cpe:2.3:a:svelte:kit:2.38.1
-
cpe:2.3:a:svelte:kit:2.39.0
-
cpe:2.3:a:svelte:kit:2.39.1
-
cpe:2.3:a:svelte:kit:2.40.0
-
cpe:2.3:a:svelte:kit:2.41.0
-
cpe:2.3:a:svelte:kit:2.42.0
-
cpe:2.3:a:svelte:kit:2.42.1
-
cpe:2.3:a:svelte:kit:2.42.2
-
cpe:2.3:a:svelte:kit:2.43.0
-
cpe:2.3:a:svelte:kit:2.43.1
-
cpe:2.3:a:svelte:kit:2.43.2
-
cpe:2.3:a:svelte:kit:2.43.3
-
cpe:2.3:a:svelte:kit:2.43.4
-
cpe:2.3:a:svelte:kit:2.43.5
-
cpe:2.3:a:svelte:kit:2.43.6
-
cpe:2.3:a:svelte:kit:2.43.7
-
cpe:2.3:a:svelte:kit:2.43.8
-
cpe:2.3:a:svelte:kit:2.44.0
-
cpe:2.3:a:svelte:kit:2.45.0
-
cpe:2.3:a:svelte:kit:2.46.0
-
cpe:2.3:a:svelte:kit:2.46.1
-
cpe:2.3:a:svelte:kit:2.46.2
-
cpe:2.3:a:svelte:kit:2.46.3
-
cpe:2.3:a:svelte:kit:2.46.4
-
cpe:2.3:a:svelte:kit:2.46.5
-
cpe:2.3:a:svelte:kit:2.47.0
-
cpe:2.3:a:svelte:kit:2.47.1
-
cpe:2.3:a:svelte:kit:2.47.2
-
cpe:2.3:a:svelte:kit:2.47.3
-
cpe:2.3:a:svelte:kit:2.48.0
-
cpe:2.3:a:svelte:kit:2.48.1
-
cpe:2.3:a:svelte:kit:2.48.2
-
cpe:2.3:a:svelte:kit:2.48.3
-
cpe:2.3:a:svelte:kit:2.48.4
-
cpe:2.3:a:svelte:kit:2.48.5
-
cpe:2.3:a:svelte:kit:2.48.6
-
cpe:2.3:a:svelte:kit:2.48.7
-
cpe:2.3:a:svelte:kit:2.48.8
-
cpe:2.3:a:svelte:kit:2.49.0
-
cpe:2.3:a:svelte:kit:2.49.1
-
cpe:2.3:a:svelte:kit:2.49.2
-
cpe:2.3:a:svelte:kit:2.49.3
-
cpe:2.3:a:svelte:kit:2.49.4