---
title: "5 SvelteKit security vulnerabilities: what Netlify users need to know"
description: "Five CVEs affecting the Svelte ecosystem have been disclosed. Most have minimal impact on Netlify, but all affected sites should upgrade."
source: "https://www.netlify.com/changelog/2026-01-15-sveltekit-security-vulnerabilities/"
last_updated: "2026-07-06T11:38:29.000Z"
---
The Svelte team has disclosed [five CVEs affecting the Svelte and SvelteKit ecosystem](https://svelte.dev/blog/cves-affecting-the-svelte-ecosystem). Here’s what Netlify customers need to know.

## Vulnerabilities

-   [**CVE-2026-22775**](https://www.cve.org/CVERecord?id=CVE-2026-22775): Memory/CPU exhaustion in `devalue` (5.1.0–5.6.1)
-   [**CVE-2026-22774**](https://www.cve.org/CVERecord?id=CVE-2026-22774): Memory exhaustion in `devalue` (5.3.0–5.6.1)
-   [**CVE-2026-22803**](https://www.cve.org/CVERecord?id=CVE-2026-22803): Server crash in `@sveltejs/kit` (2.49.0–2.49.4)
-   [**CVE-2025-67647**](https://www.cve.org/CVERecord?id=CVE-2025-67647): Server crash and SSRF in `@sveltejs/kit` (2.44.0–2.49.4) and `@sveltejs/adapter-node` (2.19.0–2.49.4)
-   [**CVE-2025-15265**](https://www.cve.org/CVERecord?id=CVE-2025-15265): XSS in `svelte` (5.46.0–5.46.3)

## Impact on Netlify

### CVE-2026-22775, CVE-2026-22774, and CVE-2026-22803

These are server-side denial-of-service (DoS) vulnerabilities. **On Netlify, these have minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.

In addition, note that only sites using the experimental [Remote Functions](https://svelte.dev/docs/kit/remote-functions) feature are affected.

### CVE-2025-67647

As above, this DoS vulnerability involves intentionally “crashing” a server. **On Netlify, this has minimal impact.**

The SSRF vulnerability affects a `@sveltejs/adapter-node`, which is not used by apps deployed to Netlify.

### CVE-2025-15265

This is a client-side cross-site scripting (XSS) vulnerability. **Regardless of hosting provider, all apps using the experimental `hydratable` with unsanitized user-controlled keys are vulnerable**.

## What should I do?

Although the impact to Netlify sites is limited in this case, we always strongly recommend upgrading as soon as possible to patched releases:

-   `devalue` 5.6.2 or later
-   `@sveltejs/kit` 2.49.5 or later
-   `@sveltejs/adapter-node` 5.5.1 or later
-   `svelte` 5.46.4 or later

## Resources

-   [Svelte team disclosure](https://svelte.dev/blog/cves-affecting-the-svelte-ecosystem)