SvelteKit framework has Insufficient CSRF protection for CORS requests

CVE-2023-29008

What is CVE-2023-29008?

The SvelteKit framework, which allows developers to create REST APIs, has a vulnerability that impacts its built-in CSRF protection in versions prior to 1.15.2. While the CSRF protection mechanism is generally effective, it can be circumvented by crafting an upper-cased 'Content-Type' header. This oversight permits malicious actors to issue unauthorized requests from third-party domains, potentially leading to operations being executed in the context of the victim's session. Consequently, users may face unauthorized access to their accounts, particularly when authentication cookies are inadequately configured with the 'SameSite' attribute. It is crucial for users to upgrade to SvelteKit 1.15.2 or above to remedy this security concern, and to define the 'SameSite' attribute on their auth cookies to enhance protection against such vulnerabilities.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References