EUVD-2026-21502
GHSA-2crg-3p73-43xp
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
Analysis
Request body size limit bypass in SvelteKit adapter-node allows unauthenticated attackers to submit oversized payloads, causing denial of service through resource exhaustion. Affects SvelteKit versions prior to 2.57.1 running adapter-node. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Verify current SvelteKit and adapter-node versions across all production and staging environments. Within 7 days: If running SvelteKit <2.57.1 with adapter-node, implement or validate WAF and infrastructure-level request body size limits as interim controls. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today