SCA: security update for @sveltejs/kit (GHSA-5p75-vc5g-8rv2)

high Tenable Self-Hosted Container Security Plugin ID 410942

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create
simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different
HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users.
While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1,
the protection can be bypassed by simply specifying a different `Content-Type` header value. If abused,
this issue will allow malicious requests to be submitted from third-party domains, which can allow
execution of operations within the context of the victim's session, and in extreme scenarios can lead to
unauthorized access to users’ accounts. SvelteKit 1.15.1 updates the `is_form_content_type` function call
in the CSRF protection logic to include `text/plain`. As additional hardening of the CSRF protection
mechanism against potential method overrides, SvelteKit 1.15.1 is now performing validation on `PUT`,
`PATCH` and `DELETE` methods as well. This latter hardening is only needed to protect users who have put
in some sort of `?_method= override` feature themselves in their `handle` hook, so that the request that
resolve sees could be `PUT`/`PATCH`/`DELETE` when the browser issues a `POST` request. (CVE-2023-29003)

See Also

https://github.com/advisories/GHSA-5p75-vc5g-8rv2

Plugin Details

Severity: High

ID: 410942

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-29003

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/4/2023

Vulnerability Publication Date: 4/4/2023

Reference Information

CVE: CVE-2023-29003