AI uncovers 'SvelteSpill' flaw in Vercel SvelteKit apps

Aikido Security has reported its autonomous AI pentesting system found and reproduced a high-severity vulnerability affecting default SvelteKit deployments on Vercel, a common hosting platform for the framework.

Vercel has rolled out a platform-wide fix and says developers do not need to take action.

The issue affected SvelteKit applications on Vercel that used cookie-based authentication. An attacker could use a single malicious link to trigger caching of an authenticated response. The cached content could then be retrieved by someone without access to the victim's cookies.

The exposure could include session data and private API output. The flaw stemmed from an interaction between SvelteKit routing behaviour and Vercel's caching rules. Aikido dubbed the vulnerability "SvelteSpill".

Cache behaviour

The vulnerability centred on a routing parameter used by the SvelteKit adapter for Vercel. According to Aikido, the adapter accepts a __pathname query parameter intended for internal routing, but a crafted URL could pass through a Vercel path that is cached aggressively and then rewrite to a protected API endpoint.

In that scenario, a response meant only for an authenticated user could be cached as if it were a public static asset, allowing another user to retrieve it later. Aikido said the behaviour did not require unusual configuration and was present in default deployments.

Cache deception is a known class of security issue, but this case sits at the intersection of a web framework, its hosting adapter, and a platform's edge caching behaviour, which can make the root cause difficult to identify. The exploit chain required both a specific URL shape and a hosting environment that would store the resulting response in a publicly accessible cache.

AI discovery

Aikido said its AI system worked autonomously and produced an end-to-end exploit. It said the process involved reasoning across more than 150,000 lines of framework and adapter code, and that it deployed hundreds of agents in parallel to explore different execution paths across the application and hosting layer.

Aikido argued the same investigation would likely take a human researcher months of focused auditing. It described the finding as an early public example of an AI system identifying a framework-level vulnerability and producing a working proof of concept.

Aikido said its engineers verified and reproduced the findings before disclosing them to Vercel, which has since deployed a platform-wide fix. Vercel says no developer action is required.

Wider impact

SvelteKit is a framework for building web applications, and Vercel is a widely used hosting provider for frontend and full-stack JavaScript projects. The combination is common among teams that deploy applications with edge caching and managed build pipelines.

Issues that affect default configurations in that stack can scale quickly because they reach many deployments that follow standard patterns. Aikido said every SvelteKit application deployed on Vercel was affected under the stated conditions. It said cookie-based authentication was key because the attack relied on the victim's browser sending cookies when loading the malicious link.

The report also highlights the challenge of enforcing caching boundaries for authenticated content. Teams often assume protected API responses cannot be stored in public caches. In practice, rewriting rules, asset paths, and caching defaults can undermine that assumption, particularly when a request passes through multiple layers with their own routing logic.

Related flaw

Aikido said the same research also uncovered a separate denial-of-service issue in an experimental SvelteKit feature, which it said was disclosed and fixed.

"SvelteSpill is one of the first framework-level vulnerabilities to be discovered and exploited end-to-end by AI. It will not be the last."

According to Aikido's description of the remediation, Vercel's platform-wide patch applies automatically to both new and existing affected applications.