Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
AnalysisAI
Request body size limit bypass in SvelteKit adapter-node allows unauthenticated attackers to submit oversized payloads, causing denial of service through resource exhaustion. Affects SvelteKit versions prior to 2.57.1 running adapter-node. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | SvelteKit versions prior to 2.57.1 using adapter-node. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Unauthenticated attacker can bypass BODY_SIZE_LIMIT on adapter-node deployments, enabling resource exhaustion denial-of-service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | Attacker sends oversized HTTP request body to SvelteKit application running adapter-node prior to 2.57.1. Request bypasses application-level BODY_SIZE_LIMIT constraint, consuming server resources and causing denial-of-service. … |
| Remediation | Vendor-released patch: upgrade SvelteKit to version 2.57.1 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Verify current SvelteKit and adapter-node versions across all production and staging environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
SvelteKit 2.19.0-2.49.4 has SSRF/DoS affecting applications with prerendered routes. Can be exploited to make the server
SvelteKit versions 2.49.0 through 2.49.4 are vulnerable to denial-of-service attacks through the experimental form remot
SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the h
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21502
GHSA-2crg-3p73-43xp