CVE-2025-67647 Overview
CVE-2025-67647 is a Server-Side Request Forgery (SSRF) and Denial of Service (DoS) vulnerability affecting SvelteKit, a popular framework for rapidly developing robust, performant web applications using Svelte. The vulnerability exists in versions prior to 2.49.5 and can be exploited under specific application configurations involving prerendered routes and the adapter-node deployment adapter.
The vulnerability manifests in two distinct attack scenarios depending on the SvelteKit version and configuration. From versions 2.44.0 through 2.49.4, applications with at least one prerendered route (configured via export const prerender = true) are vulnerable to DoS attacks. From versions 2.19.0 through 2.49.4, the vulnerability scope expands to include SSRF when applications use adapter-node without a configured ORIGIN environment variable and lack a reverse proxy implementing Host header validation.
Critical Impact
Attackers can exploit improperly validated headers to trigger server-side request forgery attacks or cause denial of service conditions on SvelteKit applications with prerendered routes.
Affected Products
- SvelteKit versions 2.44.0 through 2.49.4 (DoS via prerendered routes)
- SvelteKit versions 2.19.0 through 2.49.4 (SSRF/DoS with adapter-node configuration)
- Svelte adapter-node (when used without ORIGIN environment variable)
Discovery Timeline
- 2026-01-15 - CVE CVE-2025-67647 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-67647
Vulnerability Analysis
This vulnerability stems from improper handling and validation of HTTP headers in SvelteKit's server-side request handling, specifically within the adapter-node handler and the core respond module. The root cause relates to CWE-918 (Server-Side Request Forgery) and CWE-248 (Uncaught Exception), where malicious header values can manipulate the origin determination logic or cause unhandled exceptions leading to service disruption.
The attack is network-accessible and requires no authentication or user interaction, making it particularly concerning for publicly exposed SvelteKit applications. The vulnerability can lead to high confidentiality and availability impacts, with potential for attackers to access internal resources through SSRF or render the application unavailable through DoS.
Root Cause
The vulnerability originates from insufficient validation of header values used to construct the request origin. The get_origin() function in the adapter-node handler did not properly normalize and validate protocol, host, and port headers before constructing the origin URL. When multiple header values were provided where only one was expected, or when header values contained malicious payloads, the application could be manipulated to make requests to unintended destinations or crash due to unhandled exceptions.
Additionally, the respond module failed to properly compare decoded URL pathnames when serving prerendered resources, allowing attackers to craft requests that triggered unexpected behavior in the prerendering logic.
Attack Vector
The attack is conducted over the network by sending specially crafted HTTP requests with manipulated headers. Attackers can target applications that:
- Have at least one prerendered route configured
- Use adapter-node without setting the ORIGIN environment variable
- Are not protected by a reverse proxy that validates Host headers
The security patches demonstrate the fix approach. In the adapter-node handler, a new normalise_header() function was introduced:
/**
* @param {string} name
* @param {string | string[] | undefined} value
* @returns {string | undefined}
*/
function normalise_header(name, value) {
if (!name) return undefined;
if (Array.isArray(value)) {
if (value.length === 0) return undefined;
if (value.length === 1) return value[0];
throw new Error(
`Multiple values provided for ${name} header where only one expected: ${value}`
);
}
return value;
}
/**
* @param {import('http').IncomingHttpHeaders} headers
* @returns {string}
*/
function get_origin(headers) {
const protocol = decodeURIComponent(normalise_header(protocol_header, headers[protocol_header]) || 'https');
Source: GitHub Commit Update
The respond module was also patched to properly decode URL pathnames before comparison:
// try to serve the rerouted prerendered resource if it exists
if (
// the resolved path has been decoded so it should be compared to the decoded url pathname
resolved_path !== decode_pathname(url.pathname) &&
!state.prerendering?.fallback &&
has_prerendered_path(manifest, resolved_path)
) {
Source: GitHub Commit Update
Detection Methods for CVE-2025-67647
Indicators of Compromise
- Unusual HTTP requests with multiple values for protocol, host, or port headers
- Server logs showing requests to internal network resources or unexpected destinations
- Application crashes or unhandled exceptions in the SvelteKit handler modules
- Requests targeting prerendered routes with malformed or encoded URL paths
Detection Strategies
- Monitor HTTP access logs for requests containing suspicious header patterns, particularly multiple values for X-Forwarded-Proto, X-Forwarded-Host, or similar headers
- Implement Web Application Firewall (WAF) rules to detect and block requests with malformed or duplicate forwarding headers
- Review application error logs for uncaught exceptions originating from packages/adapter-node/src/handler.js or packages/kit/src/runtime/server/respond.js
- Configure intrusion detection systems to alert on outbound connections from the application server to unexpected internal resources
Monitoring Recommendations
- Enable verbose logging for SvelteKit applications to capture header values and request processing details
- Monitor server resource utilization for signs of DoS attacks, including CPU spikes, memory exhaustion, or connection pool depletion
- Implement network segmentation monitoring to detect SSRF attempts reaching internal services
- Set up alerting for abnormal traffic patterns targeting prerendered routes
How to Mitigate CVE-2025-67647
Immediate Actions Required
- Upgrade SvelteKit to version 2.49.5 or later immediately
- Configure the ORIGIN environment variable explicitly when using adapter-node
- Deploy a reverse proxy (nginx, Apache, or cloud load balancer) that validates and sanitizes Host headers
- Review and audit all prerendered routes in the application for potential exposure
Patch Information
The vulnerability is fixed in SvelteKit version 2.49.5. The patch introduces proper header normalization and validation in the adapter-node handler, along with corrected URL pathname decoding in the respond module. Organizations should update their dependencies using:
npm update @sveltejs/kit@2.49.5
npm update @sveltejs/adapter-node
For detailed patch information, refer to the GitHub Security Advisory GHSA-j62c-4x62-9r35 and the security patch commit.
Workarounds
- Set the ORIGIN environment variable explicitly to your application's public URL when using adapter-node
- Configure a reverse proxy to validate and normalize Host headers before requests reach the SvelteKit application
- Remove prerendered routes if they are not strictly necessary until the patch can be applied
- Implement network-level controls to restrict outbound connections from the application server
# Configuration example for setting ORIGIN environment variable
export ORIGIN="https://your-application-domain.com"
# Example nginx configuration for Host header validation
server {
listen 443 ssl;
server_name your-application-domain.com;
# Validate Host header
if ($host !~* ^(your-application-domain\.com)$) {
return 444;
}
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
