Skip to content

Sending a GET or HEAD request with a body crashes SvelteKit

High severity GitHub Reviewed Published Jan 24, 2024 in sveltejs/kit • Updated Jan 24, 2024

Package

npm @sveltejs/adapter-node (npm)

Affected versions

>= 2.0.0, < 2.1.2
>= 3.0.0, < 3.0.3
= 4.0.0

Patched versions

2.1.2
3.0.3
4.0.1
npm @sveltejs/kit (npm)
>= 2.0.0, < 2.4.3
2.4.3

Description

Summary

In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.

node:internal/deps/undici/undici:6066
          throw new TypeError("Request with GET/HEAD method cannot have body.");
                ^

TypeError: Request with GET/HEAD method cannot have body.
    at new Request (node:internal/deps/undici/undici:6066:17)
    at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/node/index.js:107:9)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:181:26
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:172:6
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
    at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
    at file:///C:/Users/admin/Desktop/reproduction/node_modules/@sveltejs/kit/src/exports/vite/preview/index.js:211:27
    at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)

Node.js v20.11.0

TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.

PoC

First do a fresh install of SvelteKit 2 with the example app. Typescript.

  1. npm run build
  2. npm run preview
  3. Go to http://localhost:4173 (works)
  4. curl -X GET -d "{}" http://localhost:4173/bye
  5. Application crashes and http://localhost:4173 is down

Impact

Denial of Service for apps using adapter-node

References

@benmccann benmccann published to sveltejs/kit Jan 24, 2024
Published to the GitHub Advisory Database Jan 24, 2024
Reviewed Jan 24, 2024
Published by the National Vulnerability Database Jan 24, 2024
Last updated Jan 24, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2024-23641

GHSA ID

GHSA-g5m6-hxpp-fc49

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.