Skip to main content

Kit CVE-2026-40074

| EUVDEUVD-2026-21504 MEDIUM
Improper Handling of Exceptional Conditions (CWE-755)
2026-04-10 GitHub_M GHSA-3f6h-2hrp-w5wx
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 10, 2026 - 17:15 euvd
EUVD-2026-21504
Analysis Generated
Apr 10, 2026 - 17:15 vuln.today
CVE Published
Apr 10, 2026 - 16:26 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.

AnalysisAI

SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the handle server hook with HTTP header-invalid characters in the location parameter. An unauthenticated remote attacker can trigger an unhandled TypeError by supplying unsanitized user input to the redirect location, potentially causing application crashes on certain platforms. The vulnerability is fixed in version 2.57.1.

Technical ContextAI

SvelteKit's redirect() function is designed to issue HTTP redirects from server-side hooks. The handle server hook is a critical middleware component that processes all incoming requests. When redirect() receives a location parameter containing characters prohibited in HTTP headers (such as newlines or other control characters), the function fails to sanitize or validate the input before constructing the HTTP response header. This causes an unhandled TypeError at runtime due to improper input validation on untrusted data flowing through a server-side redirect mechanism. The root cause is classified as CWE-755 (Improper Handling of Exceptional Conditions), indicating a failure to gracefully handle or validate exceptional input conditions. The affected product is identified via CPE cpe:2.3:a:sveltejs:kit:*:*:*:*:*:*:*:* across all versions prior to the patch.

RemediationAI

Upgrade SvelteKit to version 2.57.1 or later, which contains the fix for HTTP header validation in the redirect() function. The patch is available in the official release at https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1 and was implemented via commit 10d7b44425c3d9da642eecce373d0c6ef83b4fcd. Applications should update their SvelteKit dependency to the patched version immediately. Until patching is possible, organizations should implement input validation at the application level to sanitize user input before passing it to the redirect() function, specifically removing or encoding characters that are invalid in HTTP headers (such as CR, LF, and other control characters).

Share

CVE-2026-40074 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy