{"id":"GHSA-88qp-p4qg-rqm6","summary":"CPU exhaustion in SvelteKit remote form deserialization (experimental only)","details":"Versions of `@sveltejs/kit` prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service.\n\nOnly applications using both `experimental.remoteFunctions` and `form` are vulnerable.","modified":"2026-02-22T23:23:11.893790Z","published":"2026-02-19T20:30:25Z","database_specific":{"github_reviewed_at":"2026-02-19T20:30:25Z","github_reviewed":true,"nvd_published_at":null,"severity":"MODERATE","cwe_ids":["CWE-843"]},"references":[{"type":"WEB","url":"https://github.com/sveltejs/kit/security/advisories/GHSA-88qp-p4qg-rqm6"},{"type":"WEB","url":"https://github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8"},{"type":"PACKAGE","url":"https://github.com/sveltejs/kit"},{"type":"WEB","url":"https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.52.2"}],"affected":[{"package":{"name":"@sveltejs/kit","ecosystem":"npm","purl":"pkg:npm/%40sveltejs/kit"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.49.0"},{"fixed":"2.52.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-88qp-p4qg-rqm6/GHSA-88qp-p4qg-rqm6.json","last_known_affected_version_range":"\u003c= 2.52.1"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}]}