CVE-2025-67647
Published: 15 January 2026
Summary
CVE-2025-67647 is a critical-severity Uncaught Exception (CWE-248) vulnerability in Svelte Adapter-Node. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in SvelteKit versions prior to 2.49.5 by applying the patch directly prevents SSRF and DoS exploitation.
Boundary protection using reverse proxies with Host header validation directly mitigates SSRF and DoS in adapter-node configurations lacking ORIGIN environment variable.
Denial-of-service protections address the availability impact from exploitation triggers involving prerendered routes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF+DoS in public-facing SvelteKit web framework directly enables remote exploitation of the application (T1190) and system/application exploitation for denial-of-service (T1499.004).
NVD Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability…
more
results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
Deeper analysisAI
CVE-2025-67647 is a server-side request forgery (SSRF) and denial-of-service (DoS) vulnerability affecting SvelteKit, a framework for building robust, performant web applications using Svelte. The issue impacts versions prior to 2.49.5, with specific DoS triggers in certain configurations: from 2.44.0 through 2.49.4 when an application has at least one prerendered route (export const prerender = true); and from 2.19.0 through 2.49.4 when using adapter-node without a configured ORIGIN environment variable and lacking a reverse proxy that validates the Host header. It is associated with CWE-248 and CWE-918, carrying a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity. Successful exploitation results in SSRF, enabling high confidentiality impact through unauthorized access to internal resources, and DoS, causing high availability impact by disrupting service, particularly in applications meeting the prerendered route and adapter-node conditions.
The vulnerability is fixed in SvelteKit version 2.49.5. Official mitigation guidance is available in the SvelteKit security advisory at https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35, with the patching commit at https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226. Security practitioners should upgrade to 2.49.5 or later and review configurations for prerendered routes and adapter-node usage.
Details
- CWE(s)