SvelteKit apps running on Vercel are vulnerable to a severe cache deception flaw known as SvelteSpill, which enables hackers to steal session tokens and other private user information. The problem, which was found by Aikido Security's AI pentest on January 20, 2026, is related to how the SvelteKit Vercel adapter handles the __pathname query parameter. Since then, on February 19, 2026, Vercel has fixed its platform-wide.

Vulnerability Mechanics SvelteKit integrates with platforms such as Vercel through adapters, allowing for features like Incremental Static Regeneration (ISR). The serverless Vercel adapter.In order to enable path overrides on any request, js takes __pathname from the URL query and rewrites the request's pathname to it without doing any validation.

Even though the response is dynamic, Vercel's caching aggressively applies public, immutable, max-age=31536000 headers to paths under /_app/immutable/, treating them as static assets. URLs such as https://example.vercel.app/_app/immutable/x?__pathname=/api/session are created by attackers. The adapter rewrites to /api/sessionfetch private data (e.g., ".token",1337") when a victim who is logged in visits, but the prefix causes Vercel's cache layer to override with public caching.

Then, using X-Vercel-Cache: HIT, the attacker hits the cached victim data by requesting the same URL without cookies. There is no misconfiguration needed for this to function on any Vercel SvelteKit app that uses cookies for authentication. Despite initial cache poisoning dead ends from Vercel's serverless static handling, Aikido's AI agent detected the device during testing and chained it to full exploitation.

On January 21, 2026, Aikido informed Vercel; on January 23, triage took place, and by February 9, fixes, such as 404s on /_app/immutable/ paths and __pathname stripping, had been implemented. Follow Aikido Intel (AIKIDO-2026-10191), GHSA-9pq4-5hcf-288c, or CVE-2026-27118. Additionally, a related DoS in the experimental features of SvelteKit (GHSA-vrhm-gvg7-fpcf) was fixed.

For verification, users should rescan repos using programs like Aikido; Vercel will automatically receive the fix. This draws attention to caching issues in frameworks; when paired with rewrites, basic prefix rules can reveal data. Make ZeroOwl your Google Preferred Source.