@sveltejs/kit is vulnerable to Sensitive Information Disclosure
68
Medium Risk
SvelteKit serves experimental remote function query responses from the server without any cache-control headers. Because these responses can contain personalized, user-specific data, a shared cache such as a CDN or reverse proxy can store one user's response and later serve it to other users. This exposes sensitive personalized data across users. The fix sends cache-control: private, no-store on remote function responses, except during prerendering, so shared caches never store them.
You are affected if you are using a version that falls within the vulnerable range and have enabled the experimental remote functions feature.
@sveltejs/kit is vulnerable to Sensitive Information Disclosure in versions 2.27.0 - 2.65.1.
Upgrade the @sveltejs/kit library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant