Vulnerability Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Svelte | Kit | < 2.57.1 |
Related Weaknesses (CWE)
References
- https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95Patch
- https://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]ProductRelease Notes
- https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xpVendor Advisory
FAQ
What is CVE-2026-40073?
CVE-2026-40073 is a vulnerability with a CVSS score of 7.5 (HIGH). SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit a...
How severe is CVE-2026-40073?
CVE-2026-40073 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40073?
Check the references section above for vendor advisories and patch information. Affected products include: Svelte Kit.