HIGHCVE-2026-40073Published 2026-04-10Modified 2026-04-13CNA GitHub_M

CVE-2026-40073: SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

sveltejs / kit
< 2.57.1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp
https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95
https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1

Metrics