11{
2- "schema_version" : " 1.4.0" ,
3- "id" : " GHSA-hgv7-v322-mmgr" ,
4- "modified" : " 2026-05-21T17:59:05Z" ,
5- "published" : " 2026-05-21T17:59:05Z" ,
6- "aliases" : [],
7- "summary" : " @sveltejs/kit: `query.batch` cross-talk" ,
8- "details" : " `query.batch()` could, under very rare and specific timings, cause concurrent requests from different users to merge and resolve under single request context, enabling cross-user data disclosure." ,
9- "severity" : [
10- {
11- "type" : " CVSS_V4" ,
12- "score" : " CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"
13- }
14- ],
15- "affected" : [
16- {
17- "package" : {
18- "ecosystem" : " npm" ,
19- "name" : " @sveltejs/kit"
20- },
21- "ranges" : [
2+ "schema_version" : " 1.4.0" ,
3+ "id" : " GHSA-hgv7-v322-mmgr" ,
4+ "modified" : " 2026-05-21T17:59:05Z" ,
5+ "published" : " 2026-05-21T17:59:05Z" ,
6+ "aliases" : [],
7+ "summary" : " @sveltejs/kit: `query.batch` cross-talk" ,
8+ "details" : " `query.batch()` could, under very rare and specific timings, cause concurrent requests from different users to merge and resolve under single request context, enabling cross-user data disclosure." ,
9+ "severity" : [
10+ {
11+ "type" : " CVSS_V4" ,
12+ "score" : " CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"
13+ },
2214 {
23- "type" : " ECOSYSTEM" ,
24- "events" : [
25- {
26- "introduced" : " 2.38.0"
15+ "type" : " CVSS_V3" ,
16+ "score" : " CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
17+ }
18+ ],
19+ "affected" : [
20+ {
21+ "package" : {
22+ "ecosystem" : " npm" ,
23+ "name" : " @sveltejs/kit"
2724 },
28- {
29- "fixed" : " 2.60.1"
30- }
31- ]
25+ "ranges" : [
26+ {
27+ "type" : " ECOSYSTEM" ,
28+ "events" : [
29+ {
30+ "introduced" : " 2.38.0"
31+ },
32+ {
33+ "fixed" : " 2.60.1"
34+ }
35+ ]
36+ }
37+ ]
3238 }
33- ],
34- "database_specific" : {
35- "last_known_affected_version_range" : " <= 2.60.0"
36- }
37- }
38- ],
39- "references" : [
40- {
41- "type" : " WEB" ,
42- "url" : " https://github.com/sveltejs/kit/security/advisories/GHSA-hgv7-v322-mmgr"
43- },
44- {
45- "type" : " PACKAGE" ,
46- "url" : " https://github.com/sveltejs/kit"
47- }
48- ],
49- "database_specific" : {
50- "cwe_ids" : [
51- " CWE-200"
5239 ],
53- "severity" : " MODERATE" ,
54- "github_reviewed" : true ,
55- "github_reviewed_at" : " 2026-05-21T17:59:05Z" ,
56- "nvd_published_at" : null
57- }
58- }
40+ "references" : [
41+ {
42+ "type" : " WEB" ,
43+ "url" : " https://github.com/sveltejs/kit/security/advisories/GHSA-hgv7-v322-mmgr"
44+ },
45+ {
46+ "type" : " WEB" ,
47+ "url" : " https://github.com/sveltejs/kit/commit/dadaefc2e647a0a62f49f3ee8bc7aa46f5e27056"
48+ },
49+ {
50+ "type" : " PACKAGE" ,
51+ "url" : " https://github.com/sveltejs/kit"
52+ }
53+ ],
54+ "database_specific" : {
55+ "cwe_ids" : [
56+ " CWE-200"
57+ ],
58+ "severity" : " MODERATE" ,
59+ "github_reviewed" : true ,
60+ "github_reviewed_at" : " 2026-05-21T17:59:05Z" ,
61+ "nvd_published_at" : null
62+ }
63+ }
0 commit comments