Aikido Security reported that its autonomous AI penetration testing system discovered and reproduced a high-severity vulnerability affecting the default SvelteKit deployment on Vercel, the framework’s common hosting platform.
Vercel is rolling out a platform-wide fix and says developers do not need to take any action.
This issue affected SvelteKit applications on Vercel that use cookie-based authentication. An attacker could use a single malicious link to trigger caching of authenticated responses. Cached content can be retrieved by someone without accessing the victim’s cookies.
Potential exposures may include session data and private API output. This flaw arose from an interaction between SvelteKit’s routing behavior and Vercel’s caching rules. Aikido named this vulnerability “SvelteSpill.”
Cache behavior
The vulnerability focused on the routing parameters used by the SvelteKit adapter for Vercel. According to Aikido, the adapter is __Path name Although the query parameters are intended for internal routing, a crafted URL can pass through an aggressively cached Vercel path and be rewritten to a protected API endpoint.
In this scenario, responses that are intended only for authenticated users can be cached as if they were public static assets, allowing another user to retrieve them later. According to Aikido, this behavior did not require any special configuration and was present in the default deployment.
Cache deception is a known type of security issue, but this case lies at the intersection of the web framework, its hosting adapter, and the platform’s edge caching behavior, which can make identifying the root cause difficult. The exploit chain required both a specific URL format and a hosting environment that stored the resulting responses in a publicly accessible cache.
Discovery of AI
Aikido said the AI system operated autonomously and generated an end-to-end exploit. The process involved reasoning across over 150,000 lines of framework and adapter code, and deployed hundreds of agents in parallel to explore different execution paths across the application and hosting tiers, he said.
Aikido argued that similar studies would likely require months of intensive auditing by human researchers. The discovery is described as an early public example of an AI system identifying a framework-level vulnerability and generating a working proof of concept.
Aikido said its engineers verified and reproduced the findings before disclosing them to Vercel, which introduced a platform-wide fix. Vercel says no developer action is required.
wider impact
SvelteKit is a framework for building web applications, and Vercel is a widely used hosting provider for front-end and full-stack JavaScript projects. This combination is common for teams that use edge caching and managed build pipelines to deploy applications.
Issues that affect the default configuration of that stack can spread quickly, as they affect many deployments that follow standard patterns. Aikido stated that all SvelteKit applications deployed on Vercel are affected under the conditions described. The company said cookie-based authentication was key because the attack relied on victims’ browsers sending cookies when loading malicious links.
The report also highlights the challenges of enforcing cache boundaries for authenticated content. Teams often assume that protected API responses cannot be stored in public caches. In practice, rewriting rules, asset paths, and cache defaults can break that assumption, especially when requests pass through multiple layers with their own routing logic.
Related defects
Aikido said the same investigation also found another denial of service issue in SvelteKit’s experimental feature, which has been disclosed and fixed.
“SvelteSpill was one of the first framework-level vulnerabilities discovered and exploited end-to-end by AI. It won’t be the last.”
According to Aikido’s remediation description, Vercel’s platform-wide patch is automatically applied to both new and existing affected applications.
