Security Update: Multiple vulnerabilities in SvelteKit
January 15, 2026
The Svelte team has disclosed five CVEs affecting the Svelte and SvelteKit ecosystem. Here’s what Netlify customers need to know.
Vulnerabilities
- CVE-2026-22775: Memory/CPU exhaustion in
devalue(5.1.0–5.6.1) - CVE-2026-22774: Memory exhaustion in
devalue(5.3.0–5.6.1) - CVE-2026-22803: Server crash in
@sveltejs/kit(2.49.0–2.49.4) - CVE-2025-67647: Server crash and SSRF in
@sveltejs/kit(2.44.0–2.49.4) and@sveltejs/adapter-node(2.19.0–2.49.4) - CVE-2025-15265: XSS in
svelte(5.46.0–5.46.3)
Impact on Netlify
CVE-2026-22775, CVE-2026-22774, and CVE-2026-22803
These are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
In addition, note that only sites using the experimental Remote Functions feature are affected.
CVE-2025-67647
As above, this DoS vulnerability involves intentionally “crashing” a server. On Netlify, this has minimal impact.
The SSRF vulnerability affects a @sveltejs/adapter-node, which is not used by apps deployed to Netlify.
CVE-2025-15265
This is a client-side cross-site scripting (XSS) vulnerability. Regardless of hosting provider, all apps using the experimental hydratable with unsanitized user-controlled keys are vulnerable.
What should I do?
Although the impact to Netlify sites is limited in this case, we always strongly recommend upgrading as soon as possible to patched releases:
devalue5.6.2 or later@sveltejs/kit2.49.5 or later@sveltejs/adapter-node5.5.1 or latersvelte5.46.4 or later