CVE-2025-67647 is a vulnerability in the SvelteKit web application framework affecting versions from 2.19.0 through 2.49.4. The flaw is rooted in uncaught exceptions leading to server-side request forgery (SSRF) and denial of service (DoS) conditions when applications have at least one prerendered route (export const prerender = true). Specifically, when using the adapter-node deployment without a configured ORIGIN environment variable and lacking a reverse proxy that validates the Host header, attackers can exploit this to cause DoS or SSRF. SSRF allows attackers to make unauthorized requests from the server to internal or external systems, potentially bypassing firewall restrictions, while DoS can disrupt service availability by crashing or exhausting server resources. The vulnerability does not require authentication or user interaction and can be triggered remotely, increasing its risk profile. The issue is tracked under CWE-248 (Uncaught Exception) and CWE-918 (Server-Side Request Forgery). The vulnerability was publicly disclosed in January 2026 and fixed in SvelteKit version 2.49.5. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and availability, with partial impact on integrity. No known exploits are currently reported in the wild, but the high severity and ease of exploitation warrant immediate attention.

For European organizations, this vulnerability poses significant risks to web applications built with affected SvelteKit versions. The SSRF aspect can be leveraged to access internal network resources, potentially exposing sensitive data or enabling lateral movement within corporate networks. The DoS component can disrupt critical web services, causing downtime and impacting business continuity. Organizations relying on prerendered routes and adapter-node deployments without proper environment configuration or reverse proxy protections are particularly vulnerable. This can affect sectors with high web application usage such as finance, e-commerce, government, and technology. The ease of remote exploitation without authentication increases the likelihood of automated attacks and scanning by threat actors. Additionally, SSRF can be a stepping stone for more complex attacks, including data exfiltration or pivoting to internal systems. The vulnerability may also impact compliance with European data protection regulations if it leads to unauthorized data access or service disruptions.

The primary mitigation is to upgrade all SvelteKit instances to version 2.49.5 or later, where the vulnerability is patched. For organizations unable to immediately upgrade, it is critical to configure the ORIGIN environment variable correctly when using adapter-node to ensure proper request origin validation. Deploying a reverse proxy that performs strict Host header validation can prevent exploitation by blocking malicious requests that attempt to exploit the SSRF vector. Additionally, implement network segmentation and firewall rules to limit the server's ability to make arbitrary outbound requests, reducing SSRF impact. Monitoring application logs for unusual request patterns targeting prerendered routes can help detect exploitation attempts. Conduct thorough code reviews to ensure no other uncaught exceptions or SSRF vectors exist. Finally, maintain an incident response plan to quickly address any detected exploitation attempts or service disruptions.