GHSA-vrhm-gvg7-fpcf: Memory exhaustion in SvelteKit remote form deserialization (experimental only)

February 19, 2026

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service.

Only applications using both experimental.remoteFunctions and form are vulnerable.

References

github.com/advisories/GHSA-vrhm-gvg7-fpcf
github.com/sveltejs/kit
github.com/sveltejs/kit/commit/f47c01bd8100328c24fdb8522fe35913b0735f35
github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.52.2
github.com/sveltejs/kit/security/advisories/GHSA-vrhm-gvg7-fpcf

Code Behaviors & Features

Detect and mitigate GHSA-vrhm-gvg7-fpcf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →