SvelteKit framework has Insufficient CSRF protection for CORS requests
CVE-2023-29008

8.8HIGH

Key Information:

Vendor: Sveltejs
Status: Kit
Vendor: CVE Published:; 6 April 2023

What is CVE-2023-29008?

The SvelteKit framework, which allows developers to create REST APIs, has a vulnerability that impacts its built-in CSRF protection in versions prior to 1.15.2. While the CSRF protection mechanism is generally effective, it can be circumvented by crafting an upper-cased 'Content-Type' header. This oversight permits malicious actors to issue unauthorized requests from third-party domains, potentially leading to operations being executed in the context of the victim's session. Consequently, users may face unauthorized access to their accounts, particularly when authentication cookies are inadequately configured with the 'SameSite' attribute. It is crucial for users to upgrade to SvelteKit 1.15.2 or above to remedy this security concern, and to define the 'SameSite' attribute on their auth cookies to enhance protection against such vulnerabilities.

Affected Version(s)

kit < 1.15.2

References

https://github.com/sveltejs/kit/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/sveltejs/kit/commit/ba436c6685e751d968...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2023
Vulnerability Reserved
Mar 29, 2023

CVE-2023-29008 Data

JSON

Sveltejs

What is CVE-2023-29008?

Affected Version(s)

References

CVSS V3.1

Timeline