VDB
KO
MEDIUM

GHSA-hgv7-v322-mmgr

@sveltejs/kit: `query.batch` cross-talk

Details

`query.batch()` could, under very rare and specific timings, cause concurrent requests from different users to merge and resolve under single request context, enabling cross-user data disclosure.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @sveltejs/kit
Introduced in: 2.38.0 Fixed in: 2.60.1
Fix npm install @sveltejs/kit@2.60.1

References