In SvelteKit 2 sending a GET request with a body eg {} to a SvelteKit app in preview or with adapter-node throws Request with GET/HEAD method cannot have body. and crashes the app.
node:internal/deps/undici/undici:6066
throw new TypeError("Request with GET/HEAD method cannot have body.");
^
TypeError: Request with GET/HEAD method cannot have body.
at new Request (node:internal/deps/undici/undici:6066:17)
at getRequest (file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/node/index.js:107:9)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:181:26
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:172:6
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
at next (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44739:5)
at file:///C:/Users/admin/Desktop/reproduction/node_modules/@​sveltejs/kit/src/exports/vite/preview/index.js:211:27
at call (file:///C:/Users/admin/Desktop/reproduction/node_modules/vite/dist/node/chunks/dep-9A4-l-43.js:44795:7)
Node.js v20.11.0
TRACE requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.
PoC
First do a fresh install of SvelteKit 2 with the example app. Typescript.
This PR contains the following updates:
2.4.1
->2.4.3
GitHub Vulnerability Alerts
CVE-2024-23641
Summary
In SvelteKit 2 sending a GET request with a body eg
{}
to a SvelteKit app in preview or withadapter-node
throwsRequest with GET/HEAD method cannot have body.
and crashes the app.TRACE
requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected.PoC
First do a fresh install of SvelteKit 2 with the example app. Typescript.
npm run build
npm run preview
Impact
Denial of Service for apps using
adapter-node
Release Notes
sveltejs/kit (@sveltejs/kit)
### [`v2.4.3`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#243) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.4.2...@sveltejs/kit@2.4.3) ##### Patch Changes - fix: only disallow body with GET/HEAD ([#11710](https://togithub.com/sveltejs/kit/pull/11710)) ### [`v2.4.2`](https://togithub.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#242) [Compare Source](https://togithub.com/sveltejs/kit/compare/@sveltejs/kit@2.4.1...@sveltejs/kit@2.4.2) ##### Patch Changes - fix: ignore bodies sent with non-PUT/PATCH/POST requests ([#11708](https://togithub.com/sveltejs/kit/pull/11708))Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.