GHSA-fpg4-jhqr-589c: SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)

February 28, 2026

Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn’t check files.length or individual files’ sizes and performs expensive processing with them, it can result in Denial of Service.

Only users with experimental.remoteFunctions: true who are using the form function and are processing the files array without validation are vulnerable.

References

github.com/advisories/GHSA-fpg4-jhqr-589c
github.com/sveltejs/kit
github.com/sveltejs/kit/commit/faba869db3644077169bf5d7c6e41fd5f3d6c65e
github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.53.3
github.com/sveltejs/kit/security/advisories/GHSA-fpg4-jhqr-589c

Code Behaviors & Features

Detect and mitigate GHSA-fpg4-jhqr-589c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →