CVE-2026-22803
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: GitHub, Inc.

Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22803
EUVD
EUVD-2026-2789
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
sveltejs sveltekit From 2.49.0 (inc) to 2.49.4 (inc)
sveltejs sveltekit 2.49.5
sveltejs adapter_node 5.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22803 is a high-severity denial-of-service (DoS) vulnerability in the SvelteKit framework's experimental remote function form data deserializer. The vulnerability occurs because the server eagerly allocates memory based on a declared data length in a custom binary form payload without proper validation. An attacker can send a small payload with a large declared data length and then stall the connection, causing the server to allocate excessive memory and potentially exhaust server resources, leading to a DoS condition. [2, 3]

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated remote attacker to cause your SvelteKit server to allocate large amounts of memory unnecessarily, leading to memory exhaustion. This can degrade server performance or crash the server, resulting in denial of service and making your web application unavailable to legitimate users. The attack is low complexity and requires only network access to repeatedly open connections and stall payload delivery. [2]

Detection Guidance

This vulnerability can be detected by monitoring for unusual or repeated connections to SvelteKit remote function endpoints that use the content type application/x-sveltekit-formdata, especially those that send a small payload with a large declared data length and then stall the connection. Network monitoring tools can be used to identify such suspicious requests. Additionally, inspecting server logs for errors related to memory allocation or deserialize errors may help detect exploitation attempts. Specific commands are not provided in the resources. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade SvelteKit to version 2.49.5 or later, where the vulnerability is fixed by adding strict validations on content length and preventing eager large memory allocations. Additionally, ensure that experimental.remoteFunctions is not exposed unnecessarily and monitor for suspicious remote form submissions. Applying the patch from the official release (@sveltejs/kit version 2.49.5) is the recommended action. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22803. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart