{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40073", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.204Z", "datePublished": "2026-04-10T16:24:39.987Z", "dateUpdated": "2026-04-13T15:36:57.412Z"}, "containers": {"cna": {"title": "SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp"}, {"name": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95"}, {"name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"}], "affected": [{"vendor": "sveltejs", "product": "kit", "versions": [{"version": "< 2.57.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T16:24:39.987Z"}, "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1."}], "source": {"advisory": "GHSA-2crg-3p73-43xp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:04:15.946303Z", "id": "CVE-2026-40073", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:36:57.412Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40073", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:04:15.946303Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:33:26.150Z"}}], "cna": {"title": "SvelteKit has a BODY_SIZE_LIMIT bypass in @sveltejs/adapter-node", "source": {"advisory": "GHSA-2crg-3p73-43xp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "sveltejs", "product": "kit", "versions": [{"status": "affected", "version": "< 2.57.1"}]}], "references": [{"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp", "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95", "name": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1", "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T16:24:39.987Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40073", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:36:57.412Z", "dateReserved": "2026-04-09T00:39:12.204Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T16:24:39.987Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CC23CF52-37C9-4CA0-91A7-DF09E36C7886", "versionEndExcluding": "2.57.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1."}], "id": "CVE-2026-40073", "lastModified": "2026-04-15T18:43:03.123", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T17:17:12.357", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.57.1)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "kit", "source": "cna", "vendor": "sveltejs"}, "product": "kit", "vendor": "svelte"}], "analysis": {"en": {"generated_at": "2026-04-10T18:23:54.840926+00:00", "value": {"mitigation_remediation": ["Upgrade SvelteKit to version 2.57.1 or later to remove the BODY_SIZE_LIMIT bypass."], "summary": {"action": "Update", "impact": "Large HTTP request bodies bypass application\u2011level size limits, potentially leading to resource exhaustion."}, "threat_synthesis": {"affected_systems": "The impact is limited to applications built with SvelteKit, specifically those using the @sveltejs/adapter-node runtime before the 2.57.1 release. Any deployment of SvelteKit that has not applied the 2.57.1 patch inherits the vulnerability.", "description_and_impact": "A vulnerability in the SvelteKit framework\u2019s adapter-node module allows attackers to submit HTTP requests containing bodies larger than the application\u2011defined BODY_SIZE_LIMIT. The bypass permits the server to process oversized payloads that would normally be rejected, exposing the application to denial\u2011of\u2011service or memory\u2011pressure attacks. The weakness is categorized as CWE\u2011770, misuse of resource management.", "risk_and_exploitability": "This issue carries a CVSS score of 8.2, indicating high severity. The EPSS score is not available, and the vulnerability has not been listed in the CISA KEV catalog, though it remains significant. The likely attack vector is any HTTP request carrying a large payload\u2014such as POST, PUT, or PATCH\u2014to the application, which can be performed remotely over standard network connections. Because WAF, gateway, or other platform\u2011level limits remain unaffected, the attacker can bypass only the application\u2011level check, but the impact on server resources remains severe."}}}}, "created": "2026-04-13T12:43:55.439047+00:00", "updated": "2026-04-13T13:00:23.094784+00:00", "vendors": ["svelte", "svelte$PRODUCT$kit"]}