Threat Advisory

SvelteKit Adapter Node Vulnerability Inducing Server Resource Overconsumption

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A vulnerability has been uncovered CVE-2026-40073 in @sveltejs/kit when used with adapter-node, where an improper enforcement of request body size limits allows attackers to bypass the configured BODY_SIZE_LIMIT under certain conditions. This flaw can enable remote attackers to send excessively large HTTP request payloads that are incorrectly processed by the application layer, even if such limits are enforced at other layers like WAFs or gateways. Exploitation of this issue can lead to resource exhaustion, service degradation, or denial-of-service conditions by overwhelming server memory or processing capacity. The vulnerability is classified under improper resource allocation and affects applications running vulnerable versions prior to the patched release, making it for environments relying on SvelteKit-based backend services to upgrade immediately to the secure version to prevent potential abuse. The vulnerability has a CVSS score of 8.2.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A vulnerability has been uncovered CVE-2026-40073 in @sveltejs/kit when used with adapter-node, where an improper enforcement of request body size limits allows attackers to bypass the configured BODY_SIZE_LIMIT under certain conditions. This flaw can enable remote attackers to send excessively large HTTP request payloads that are incorrectly processed by the application layer, even if such limits are enforced at other layers like WAFs or gateways. Exploitation of this issue can lead to resource exhaustion, service degradation, or denial-of-service conditions by overwhelming server memory or processing capacity. The vulnerability is classified under improper resource allocation and affects applications running vulnerable versions prior to the patched release, making it for environments relying on SvelteKit-based backend services to upgrade immediately to the secure version to prevent potential abuse. The vulnerability has a CVSS score of 8.2.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update @sveltejs/kit to version 2.57.1 or later.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-2crg-3p73-43xp

[/emaillocker]
crossmenu