{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T08:51:26.527","vulnerabilities":[{"cve":{"id":"CVE-2025-67647","sourceIdentifier":"security-advisories@github.com","published":"2026-01-15T19:16:03.870","lastModified":"2026-01-21T20:37:37.653","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5."},{"lang":"es","value":"SvelteKit es un framework para desarrollar rápidamente aplicaciones web robustas y de alto rendimiento usando Svelte. Antes de la 2.49.5, SvelteKit es vulnerable a una falsificación de petición del lado del servidor (SSRF) y denegación de servicio (DoS) bajo ciertas condiciones. Desde la 2.44.0 hasta la 2.49.4, la vulnerabilidad resulta en una DoS cuando su aplicación tiene al menos una ruta prerrenderizada (export const prerender = true). Desde la 2.19.0 hasta la 2.49.4, la vulnerabilidad resulta en una DoS cuando su aplicación tiene al menos una ruta prerrenderizada y está usando adapter-node sin una variable de entorno ORIGIN configurada, y no está usando un proxy inverso que implemente la validación del encabezado Host. Esta vulnerabilidad está corregida en la 2.49.5."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-248"},{"lang":"en","value":"CWE-918"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:svelte:adapter-node:*:*:*:*:*:node.js:*:*","versionStartIncluding":"5.4.1","versionEndExcluding":"5.5.1","matchCriteriaId":"E3D434B8-77EC-432C-B1CA-AB441068FDD9"},{"vulnerable":true,"criteria":"cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:*","versionStartIncluding":"2.19.0","versionEndExcluding":"2.49.5","matchCriteriaId":"C7B8741D-ECC4-4E4D-BB92-208C0E740D40"}]}]}],"references":[{"url":"https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}