CVE-2024-23641 Overview
CVE-2024-23641 is a denial-of-service vulnerability affecting SvelteKit 2 applications deployed with @sveltejs/adapter-node. A remote attacker can crash a built and previewed or hosted SvelteKit application by sending a GET request containing a body, or by sending a TRACE request. The Node runtime throws Request with GET/HEAD method cannot have body. and the process exits, requiring manual restart. Prerendered pages and SvelteKit 1 applications are not affected. The issue is tracked under [CWE-20] Improper Input Validation.
Critical Impact
Unauthenticated remote attackers can crash production SvelteKit 2 deployments with a single malformed HTTP request, requiring manual service restart for recovery.
Affected Products
- @sveltejs/adapter-node versions prior to 2.1.2, 3.0.3, and 4.0.1
- @sveltejs/kit versions prior to 2.4.3
- SvelteKit 2 applications built and served via the Node adapter or preview server
Discovery Timeline
- 2024-01-24 - CVE-2024-23641 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-23641
Vulnerability Analysis
The vulnerability resides in the Node request conversion logic of @sveltejs/adapter-node. SvelteKit forwards every incoming Node IncomingMessage to a Fetch API Request object before routing it to user code. The adapter unconditionally attached the raw request stream as the body field, regardless of the HTTP method. The Fetch Request constructor rejects a body on GET, HEAD, and TRACE methods and throws a synchronous TypeError. Because the throw occurs at the top of the request handler and is not wrapped in a try/catch, the Node process terminates and the host stops serving traffic.
Root Cause
The adapter did not validate the HTTP method before binding the request body stream. The Fetch specification only permits bodies on POST, PUT, and PATCH. Passing a stream alongside GET, HEAD, or TRACE produces an uncaught exception that crashes the worker, classifying the flaw as improper input validation [CWE-20].
Attack Vector
Exploitation requires no authentication, no user interaction, and only network access to the target. An attacker sends a single HTTP request such as GET / HTTP/1.1 with Content-Length: 2 and body {}, or a TRACE request. The preview or production Node process exits immediately, producing a denial-of-service condition until an operator restarts the service.
// Patch from packages/kit/src/exports/node/index.js
// fix: ignore bodies sent with non-PUT/PATCH/POST requests (#11708)
duplex: 'half',
method: request.method,
headers: /** @type {Record<string, string>} */ (request.headers),
- body: get_raw_body(request, bodySizeLimit)
+ body:
+ request.method === 'POST' || request.method === 'PUT' || request.method === 'PATCH'
+ ? get_raw_body(request, bodySizeLimit)
+ : undefined
});
}
Source: SvelteKit commit af34142. The fix conditionally assigns the request body only for POST, PUT, and PATCH, leaving body as undefined for all other methods so the Fetch Request constructor no longer throws.
Detection Methods for CVE-2024-23641
Indicators of Compromise
- Node process exits with the error message Request with GET/HEAD method cannot have body. in stdout or stderr logs.
- Unexpected restarts of SvelteKit Node services or PM2/systemd respawn events correlated with inbound HTTP traffic.
- Access logs showing GET requests with a non-zero Content-Length header, or TRACE requests against the application origin.
Detection Strategies
- Search application and container logs for the literal string Request with GET/HEAD method cannot have body and alert on any occurrence.
- Inspect reverse-proxy access logs (nginx, HAProxy, CDN) for GET requests carrying request bodies or for TRACE method requests, which are abnormal in production traffic.
- Monitor process supervisors for repeated SvelteKit worker exits within short windows, which indicates active probing or exploitation.
Monitoring Recommendations
- Forward Node application stdout/stderr to a centralized logging pipeline and alert on uncaught TypeError events from the SvelteKit request handler.
- Track HTTP method distribution at the edge and alert on any TRACE requests, which most production applications never receive legitimately.
- Instrument uptime checks that distinguish between healthy responses and connection failures so crash-induced outages are detected within seconds.
How to Mitigate CVE-2024-23641
Immediate Actions Required
- Upgrade @sveltejs/adapter-node to 2.1.2, 3.0.3, or 4.0.1 depending on the major version in use.
- Upgrade @sveltejs/kit to 2.4.3 or later.
- Restart all SvelteKit Node processes after upgrading to load the patched code paths.
- Until patching is complete, block TRACE requests and GET/HEAD requests carrying a body at the reverse proxy or WAF.
Patch Information
The fix is contained in commit af34142631c876a7eb62ff81f71e8a3f90dafee9 and documented in the SvelteKit GHSA-g5m6-hxpp-fc49 advisory. Patched releases: @sveltejs/adapter-node2.1.2, 3.0.3, 4.0.1, and @sveltejs/kit2.4.3.
Workarounds
- Strip request bodies from GET and HEAD requests at an upstream reverse proxy before they reach the Node runtime.
- Reject TRACE requests at the edge using a WAF rule or proxy configuration directive.
- Run SvelteKit behind a process supervisor configured for automatic restart to reduce outage duration if exploitation occurs.
# nginx example: drop TRACE and strip bodies from GET/HEAD before proxying
if ($request_method = TRACE) {
return 405;
}
if ($request_method ~ ^(GET|HEAD)$) {
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
proxy_pass http://sveltekit_upstream;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

