Intel

AIKIDO-2026-865660

@sveltejs/kit is vulnerable to Sensitive Information Disclosure

Sensitive Information Disclosure Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

68

Medium Risk

This Affects:

JS@sveltejs/kit
2.27.0 - 2.65.1
Fixed in 2.65.2
Are you affected? Scan for Free

TL;DR

SvelteKit serves experimental remote function query responses from the server without any cache-control headers. Because these responses can contain personalized, user-specific data, a shared cache such as a CDN or reverse proxy can store one user's response and later serve it to other users. This exposes sensitive personalized data across users. The fix sends cache-control: private, no-store on remote function responses, except during prerendering, so shared caches never store them.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and have enabled the experimental remote functions feature.

Background info

@sveltejs/kit is vulnerable to Sensitive Information Disclosure in versions 2.27.0 - 2.65.1.

How to fix this

Upgrade the @sveltejs/kit library to the patch version.