CVE-2026-40073

HIGH

SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node

Title source: cna

Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.

References (3)

Scores

CVSS v3 7.5
EPSS 0.0008
EPSS Percentile 24.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-770
Status published
Products (3)
svelte/kit < 2.57.1
sveltejs/kit 0 - 2.57.1npm
sveltejs/kit < 2.57.1
Published Apr 10, 2026
Tracked Since Apr 10, 2026