{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40074", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.205Z", "datePublished": "2026-04-10T16:26:07.068Z", "dateUpdated": "2026-04-14T14:17:29.422Z"}, "containers": {"cna": {"title": "SvelteKit's invalidated redirect in handle hook causes Denial-of-Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-755", "lang": "en", "description": "CWE-755: Improper Handling of Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx"}, {"name": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd"}, {"name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"}], "affected": [{"vendor": "sveltejs", "product": "kit", "versions": [{"version": "< 2.57.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T16:26:07.068Z"}, "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1."}], "source": {"advisory": "GHSA-3f6h-2hrp-w5wx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:17:18.734745Z", "id": "CVE-2026-40074", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:17:29.422Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40074", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:17:18.734745Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:17:24.206Z"}}], "cna": {"title": "SvelteKit's invalidated redirect in handle hook causes Denial-of-Service", "source": {"advisory": "GHSA-3f6h-2hrp-w5wx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "sveltejs", "product": "kit", "versions": [{"status": "affected", "version": "< 2.57.1"}]}], "references": [{"url": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx", "name": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd", "name": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1", "name": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-755", "description": "CWE-755: Improper Handling of Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T16:26:07.068Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40074", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:17:29.422Z", "dateReserved": "2026-04-09T00:39:12.205Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T16:26:07.068Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CC23CF52-37C9-4CA0-91A7-DF09E36C7886", "versionEndExcluding": "2.57.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1."}], "id": "CVE-2026-40074", "lastModified": "2026-04-15T19:01:50.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T17:17:12.513", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.57.1)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "kit", "source": "cna", "vendor": "sveltejs"}, "product": "kit", "vendor": "svelte"}], "analysis": {"en": {"generated_at": "2026-04-10T18:23:40.634488+00:00", "value": {"mitigation_remediation": ["Upgrade SvelteKit to version 2.57.1 or later, which contains the fix for the redirect validation issue."], "summary": {"action": "Immediate Patch", "impact": "Denial-of-Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the SvelteKit framework before version 2.57.1. Users running sveltejs:kit with any earlier release are at risk. The impact applies to the entire application runtime, as the unhandled exception can bring services down if not properly isolated.", "description_and_impact": "A bug in SvelteKit\u2019s handle server hook allows an unhandled TypeError when the redirect helper is called with a location string that contains characters invalid for an HTTP header. This error terminates the request processing and can disable the application on affected platforms, resulting in a denial of service. The flaw stems from inadequate validation of user\u2011supplied input that is passed to redirect, making the application vulnerable to formatted header attacks. The underlying weakness is identified as CWE\u2011755, a usability error where a default behaviour causes unintended effects.", "risk_and_exploitability": "The CVSS score of 6.3 indicates a medium severity. An attacker can exploit the flaw by sending an HTTP request that reaches the handle hook and includes a crafted location value with invalid header characters. The attack vector is likely remote, as the trigger occurs during normal request handling. EPSS data is unavailable, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known widespread exploitation yet. However, the potential for service disruption warrants prompt action."}}}}, "created": "2026-04-13T12:43:54.436797+00:00", "updated": "2026-04-13T13:00:22.119110+00:00", "vendors": ["svelte", "svelte$PRODUCT$kit"]}