CVE-2026-40073 | THREATINT

Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.

PUBLISHED Reserved 2026-04-09 | Published 2026-04-10 | Updated 2026-04-13 | Assigner GitHub_M

HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

< 2.57.1

affected

References

github.com/...js/kit/security/advisories/GHSA-2crg-3p73-43xp

github.com/...ommit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95

github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1

cve.org (CVE-2026-40073)

nvd.nist.gov (CVE-2026-40073)

Download JSON