SvelteSpill is a cache deception vulnerability affecting default SvelteKit apps deployed on Vercel. Authenticated responses can be cached and exposed across users. Learn how to check if you’re vulnerable and how to mitigate risk.

Aikido Security

A critical cache deception vulnerability (CVE-2026-27118) was discovered in SvelteKit apps deployed on Vercel. The SvelteKit Vercel adapter's `__pathname` query parameter — intended for Incremental Static Regeneration — allows any request path to be overridden without restriction. By crafting a URL under the `/_app/immutable/` prefix (which Vercel forcefully caches) and using `__pathname` to rewrite it to a sensitive endpoint like `/api/session`, an attacker can trick a logged-in victim into visiting the URL. Vercel's caching layer then stores the authenticated response publicly, allowing the attacker to retrieve the victim's private data without any cookies. The vulnerability required no misconfiguration — just a default SvelteKit + Vercel setup with cookie-based authentication. Vercel has automatically patched all users by returning 404 on `/_app/immutable/` paths and stripping the `__pathname` parameter. The bug was originally discovered by an AI pentesting agent from Aikido Security.

SvelteSpill: Critical Cache Deception Bug in SvelteKit + Vercel