GHSA-VRHM-GVG7-FPCF: SvelteKit Remote Functions: Death by Type Coercion

SvelteKit Remote Functions: Death by Type Coercion Vulnerability ID: GHSA-VRHM-GVG7-FPCF CVSS Score: 7.5 Published: 2026-02-19 A denial-of-service vulnerability in SvelteKit's experimental 'remote functions' feature allows attackers to crash the server via memory exhaustion. By manipulating a JSON-encoded 'file offset table' within a custom binary form payload, an attacker can trigger JavaScript type coercion that expands a small payload into gigabytes of string data, overwhelming the Node.js heap. TL;DR SvelteKit's experimental remote functions feature trusts user-supplied JSON for file offsets. Attackers can send nested arrays instead of numbers, triggering JavaScript type coercion that expands a 1MB payload into ~15GB of memory usage, crashing the server immediately. ⚠️ Exploit Status: POC Technical Details CWE : CWE-770 (Allocation of Resources Without Limits) Attack Vector : Network (POST Request) CVSS : 7.5 (High) Impact : Denial of Service (Memory Exhaustion) Affected Component