Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
AnalysisAI
SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the handle server hook with HTTP header-invalid characters in the location parameter. An unauthenticated remote attacker can trigger an unhandled TypeError by supplying unsanitized user input to the redirect location, potentially causing application crashes on certain platforms. The vulnerability is fixed in version 2.57.1.
Technical ContextAI
SvelteKit's redirect() function is designed to issue HTTP redirects from server-side hooks. The handle server hook is a critical middleware component that processes all incoming requests. When redirect() receives a location parameter containing characters prohibited in HTTP headers (such as newlines or other control characters), the function fails to sanitize or validate the input before constructing the HTTP response header. This causes an unhandled TypeError at runtime due to improper input validation on untrusted data flowing through a server-side redirect mechanism. The root cause is classified as CWE-755 (Improper Handling of Exceptional Conditions), indicating a failure to gracefully handle or validate exceptional input conditions. The affected product is identified via CPE cpe:2.3:a:sveltejs:kit:*:*:*:*:*:*:*:* across all versions prior to the patch.
RemediationAI
Upgrade SvelteKit to version 2.57.1 or later, which contains the fix for HTTP header validation in the redirect() function. The patch is available in the official release at https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1 and was implemented via commit 10d7b44425c3d9da642eecce373d0c6ef83b4fcd. Applications should update their SvelteKit dependency to the patched version immediately. Until patching is possible, organizations should implement input validation at the application level to sanitize user input before passing it to the redirect() function, specifically removing or encoding characters that are invalid in HTTP headers (such as CR, LF, and other control characters).
SvelteKit is a web development kit. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authe
SvelteKit 2.19.0-2.49.4 has SSRF/DoS affecting applications with prerendered routes. Can be exploited to make the server
Request body size limit bypass in SvelteKit adapter-node allows unauthenticated attackers to submit oversized payloads,
SvelteKit versions 2.49.0 through 2.49.4 are vulnerable to denial-of-service attacks through the experimental form remot
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21504
GHSA-3f6h-2hrp-w5wx