Skip to main content

Kit CVE-2026-40073

| EUVDEUVD-2026-21502 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-10 GitHub_M GHSA-2crg-3p73-43xp
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 10, 2026 - 17:15 euvd
EUVD-2026-21502
Analysis Generated
Apr 10, 2026 - 17:15 vuln.today
CVE Published
Apr 10, 2026 - 16:24 nvd
HIGH 8.2

DescriptionGitHub Advisory

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.

AnalysisAI

Request body size limit bypass in SvelteKit adapter-node allows unauthenticated attackers to submit oversized payloads, causing denial of service through resource exhaustion. Affects SvelteKit versions prior to 2.57.1 running adapter-node. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft oversized HTTP request body
Exploit
Bypass BODY_SIZE_LIMIT validation in adapter-node
Impact
Trigger denial of service via resource exhaustion

Vulnerability AssessmentAI

Exploitation SvelteKit versions prior to 2.57.1 using adapter-node. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Unauthenticated attacker can bypass BODY_SIZE_LIMIT on adapter-node deployments, enabling resource exhaustion denial-of-service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Attacker sends oversized HTTP request body to SvelteKit application running adapter-node prior to 2.57.1. Request bypasses application-level BODY_SIZE_LIMIT constraint, consuming server resources and causing denial-of-service. …
Remediation Vendor-released patch: upgrade SvelteKit to version 2.57.1 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Verify current SvelteKit and adapter-node versions across all production and staging environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40073 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy