Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67647

CVE-2025-67647: Svelte Adapter-node DoS Vulnerability

CVE-2025-67647 is a denial of service flaw in SvelteKit adapter-node affecting apps with prerendered routes. Attackers can exploit this to cause service disruption. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-67647 Overview

CVE-2025-67647 is a Server-Side Request Forgery (SSRF) and Denial of Service (DoS) vulnerability affecting SvelteKit, a popular framework for rapidly developing robust, performant web applications using Svelte. The vulnerability exists in versions prior to 2.49.5 and can be exploited under specific application configurations involving prerendered routes and the adapter-node deployment adapter.

The vulnerability manifests in two distinct attack scenarios depending on the SvelteKit version and configuration. From versions 2.44.0 through 2.49.4, applications with at least one prerendered route (configured via export const prerender = true) are vulnerable to DoS attacks. From versions 2.19.0 through 2.49.4, the vulnerability scope expands to include SSRF when applications use adapter-node without a configured ORIGIN environment variable and lack a reverse proxy implementing Host header validation.

Critical Impact

Attackers can exploit improperly validated headers to trigger server-side request forgery attacks or cause denial of service conditions on SvelteKit applications with prerendered routes.

Affected Products

  • SvelteKit versions 2.44.0 through 2.49.4 (DoS via prerendered routes)
  • SvelteKit versions 2.19.0 through 2.49.4 (SSRF/DoS with adapter-node configuration)
  • Svelte adapter-node (when used without ORIGIN environment variable)

Discovery Timeline

  • 2026-01-15 - CVE CVE-2025-67647 published to NVD
  • 2026-01-21 - Last updated in NVD database

Technical Details for CVE-2025-67647

Vulnerability Analysis

This vulnerability stems from improper handling and validation of HTTP headers in SvelteKit's server-side request handling, specifically within the adapter-node handler and the core respond module. The root cause relates to CWE-918 (Server-Side Request Forgery) and CWE-248 (Uncaught Exception), where malicious header values can manipulate the origin determination logic or cause unhandled exceptions leading to service disruption.

The attack is network-accessible and requires no authentication or user interaction, making it particularly concerning for publicly exposed SvelteKit applications. The vulnerability can lead to high confidentiality and availability impacts, with potential for attackers to access internal resources through SSRF or render the application unavailable through DoS.

Root Cause

The vulnerability originates from insufficient validation of header values used to construct the request origin. The get_origin() function in the adapter-node handler did not properly normalize and validate protocol, host, and port headers before constructing the origin URL. When multiple header values were provided where only one was expected, or when header values contained malicious payloads, the application could be manipulated to make requests to unintended destinations or crash due to unhandled exceptions.

Additionally, the respond module failed to properly compare decoded URL pathnames when serving prerendered resources, allowing attackers to craft requests that triggered unexpected behavior in the prerendering logic.

Attack Vector

The attack is conducted over the network by sending specially crafted HTTP requests with manipulated headers. Attackers can target applications that:

  1. Have at least one prerendered route configured
  2. Use adapter-node without setting the ORIGIN environment variable
  3. Are not protected by a reverse proxy that validates Host headers

The security patches demonstrate the fix approach. In the adapter-node handler, a new normalise_header() function was introduced:

javascript
/**
 * @param {string} name
 * @param {string | string[] | undefined} value
 * @returns {string | undefined}
 */
function normalise_header(name, value) {
	if (!name) return undefined;
	if (Array.isArray(value)) {
		if (value.length === 0) return undefined;
		if (value.length === 1) return value[0];
		throw new Error(
			`Multiple values provided for ${name} header where only one expected: ${value}`
		);
	}
	return value;
}

/**
 * @param {import('http').IncomingHttpHeaders} headers
 * @returns {string}
 */
function get_origin(headers) {
	const protocol = decodeURIComponent(normalise_header(protocol_header, headers[protocol_header]) || 'https');

Source: GitHub Commit Update

The respond module was also patched to properly decode URL pathnames before comparison:

javascript
	// try to serve the rerouted prerendered resource if it exists
	if (
		// the resolved path has been decoded so it should be compared to the decoded url pathname
		resolved_path !== decode_pathname(url.pathname) &&
		!state.prerendering?.fallback &&
		has_prerendered_path(manifest, resolved_path)
	) {

Source: GitHub Commit Update

Detection Methods for CVE-2025-67647

Indicators of Compromise

  • Unusual HTTP requests with multiple values for protocol, host, or port headers
  • Server logs showing requests to internal network resources or unexpected destinations
  • Application crashes or unhandled exceptions in the SvelteKit handler modules
  • Requests targeting prerendered routes with malformed or encoded URL paths

Detection Strategies

  • Monitor HTTP access logs for requests containing suspicious header patterns, particularly multiple values for X-Forwarded-Proto, X-Forwarded-Host, or similar headers
  • Implement Web Application Firewall (WAF) rules to detect and block requests with malformed or duplicate forwarding headers
  • Review application error logs for uncaught exceptions originating from packages/adapter-node/src/handler.js or packages/kit/src/runtime/server/respond.js
  • Configure intrusion detection systems to alert on outbound connections from the application server to unexpected internal resources

Monitoring Recommendations

  • Enable verbose logging for SvelteKit applications to capture header values and request processing details
  • Monitor server resource utilization for signs of DoS attacks, including CPU spikes, memory exhaustion, or connection pool depletion
  • Implement network segmentation monitoring to detect SSRF attempts reaching internal services
  • Set up alerting for abnormal traffic patterns targeting prerendered routes

How to Mitigate CVE-2025-67647

Immediate Actions Required

  • Upgrade SvelteKit to version 2.49.5 or later immediately
  • Configure the ORIGIN environment variable explicitly when using adapter-node
  • Deploy a reverse proxy (nginx, Apache, or cloud load balancer) that validates and sanitizes Host headers
  • Review and audit all prerendered routes in the application for potential exposure

Patch Information

The vulnerability is fixed in SvelteKit version 2.49.5. The patch introduces proper header normalization and validation in the adapter-node handler, along with corrected URL pathname decoding in the respond module. Organizations should update their dependencies using:

bash
npm update @sveltejs/kit@2.49.5
npm update @sveltejs/adapter-node

For detailed patch information, refer to the GitHub Security Advisory GHSA-j62c-4x62-9r35 and the security patch commit.

Workarounds

  • Set the ORIGIN environment variable explicitly to your application's public URL when using adapter-node
  • Configure a reverse proxy to validate and normalize Host headers before requests reach the SvelteKit application
  • Remove prerendered routes if they are not strictly necessary until the patch can be applied
  • Implement network-level controls to restrict outbound connections from the application server
bash
# Configuration example for setting ORIGIN environment variable
export ORIGIN="https://your-application-domain.com"

# Example nginx configuration for Host header validation
server {
    listen 443 ssl;
    server_name your-application-domain.com;
    
    # Validate Host header
    if ($host !~* ^(your-application-domain\.com)$) {
        return 444;
    }
    
    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.