GHSA-88qp-p4qg-rqm6: CPU exhaustion in SvelteKit remote form deserialization (experimental only)

February 19, 2026

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the server to become unresponsive while processing a request, resulting in denial of service.

Only applications using both experimental.remoteFunctions and form are vulnerable.

References

github.com/advisories/GHSA-88qp-p4qg-rqm6
github.com/sveltejs/kit
github.com/sveltejs/kit/commit/3e607b314aec9e5f278d32847945b8b6323e1cb8
github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.52.2
github.com/sveltejs/kit/security/advisories/GHSA-88qp-p4qg-rqm6

Code Behaviors & Features

Detect and mitigate GHSA-88qp-p4qg-rqm6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →