CVE-2024-23641: 
JavaScript vulnerability analysis and mitigation

In SvelteKit 2, a vulnerability was discovered where sending a GET or HEAD request with a body (e.g., '{}') to a built and previewed/hosted SvelteKit app would cause the application to crash. This vulnerability, identified as CVE-2024-23641, affects SvelteKit versions 2.0.0-2.4.2 and adapter-node versions 2.0.0-2.1.1, 3.0.0-3.0.2, and 4.0.0 (GitHub Advisory).

The vulnerability occurs when processing GET or HEAD requests containing a body, which triggers a TypeError with the message 'Request with GET/HEAD method cannot have body' in the Node.js internal Undici implementation. The error originates in the getRequest function within the SvelteKit node export module, causing the application to terminate unexpectedly. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, and high availability impact (GitHub Advisory).

The primary impact of this vulnerability is a Denial of Service (DoS) condition for applications using adapter-node. When exploited, the vulnerability causes the application to crash and become unavailable, affecting all users attempting to access the service. Prerendered pages and SvelteKit 1 apps are not affected by this vulnerability (GitHub Advisory).

The vulnerability has been patched in SvelteKit version 2.4.3 and adapter-node versions 2.1.2, 3.0.3, and 4.0.1. The fix involves ignoring bodies sent with non-PUT/PATCH/POST requests (GitHub Commit). Users are advised to upgrade to these patched versions to protect against this vulnerability.