SvelteKit has Insufficient Cross-Site Request Forgery Protection
CVE-2023-29003

8.8HIGH

Key Information:

Vendor

Sveltejs

Status
Kit
Vendor
CVE Published:
4 April 2023

What is CVE-2023-29003?

The vulnerability in the SvelteKit framework relates to its CSRF protection mechanism, which, prior to version 1.15.1, could be bypassed by setting an atypical Content-Type header. This flaw allows attackers to send unauthorized requests from external sites, potentially leading to actions taken without the user's consent in the context of their session. The SvelteKit update in version 1.15.1 remedies this by refining CSRF protection logic to validate additional content types and enhancing security against method overrides for HTTP requests.

Affected Version(s)

kit < 1.15.1

References

https://github.com/sveltejs/kit/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/sveltejs/kit/commit/bb2253d51d00aba2e4...
x_refsource_MISC
https://github.com/sveltejs/kit/releases/tag/%40sveltejs%...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.