Wiz
Vulnerability DatabaseCVE-2023-29008

CVE-2023-29008
JavaScript vulnerability analysis and mitigation

Overview

The SvelteKit framework's cross-site request forgery (CSRF) protection vulnerability (CVE-2023-29008) was discovered in versions prior to 1.15.2. The vulnerability exists in the framework's REST API implementation, specifically in the CSRF protection mechanism implemented at kit/src/runtime/server/respond.js. The issue was disclosed on April 6, 2023, affecting all SvelteKit installations before version 1.15.2 (GitHub Advisory).

Technical details

The vulnerability stems from an implementation flaw in the CSRF protection mechanism where the protection can be bypassed by specifying an upper-cased Content-Type header value. While the framework checks Content-Type headers against form content types (application/x-www-form-urlencoded, multipart/form-data, or text/plain), the comparison is case-sensitive. This allows attackers to bypass the protection by using upper-case characters in the Content-Type header, as browsers accept such variations. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

Impact

The vulnerability allows malicious requests to be submitted from third-party domains, enabling operations to be executed within the context of the victim's session. This can lead to unauthorized access to users' accounts, particularly affecting POST operations requiring authentication. The impact is especially severe in scenarios where the target site sets SameSite=None on its auth cookie and users visit malicious sites in Chromium-based browsers, or when the SameSite attribute isn't explicitly set and users visit malicious sites with Firefox/Safari with tracking protections disabled (GitHub Advisory).

Mitigation and workarounds

The primary mitigation is to upgrade to SvelteKit version 1.15.2 or later, which contains the patch for this vulnerability. For cases where immediate upgrade isn't possible, it's recommended to explicitly set the SameSite attribute to a value other than None on authentication cookies. The patch implements case-insensitive comparison when checking header values (GitHub Advisory, FortiGuard).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-23744CRITICAL9.8
  • JavaScriptJavaScript
  • @mcpjam/inspector
NoYesJan 16, 2026
CVE-2026-23735HIGH8.7
  • JavaScriptJavaScript
  • graphql-modules
NoYesJan 16, 2026
GHSA-gw32-9rmw-qwwwHIGH8.4
  • JavaScriptJavaScript
  • svelte
NoYesJan 16, 2026
CVE-2026-23745HIGH8.2
  • JavaScriptJavaScript
  • nodejs-full-i18n
NoYesJan 16, 2026
GHSA-38cw-85xc-xr9xMEDIUM6.8
  • JavaScriptJavaScript
  • @veramo/data-store
NoYesJan 16, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo