Body Size Limit Bypass in SvelteKit Framework by Svelte
CVE-2026-40073

8.2HIGH

Key Information:

Vendor

Sveltejs

Status
Kit
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40073?

The SvelteKit framework, which is widely utilized for developing efficient web applications, contains a vulnerability that allows certain requests to bypass the BODY_SIZE_LIMIT when using adapter-node. This issue affects only the application layer in specific configurations, and other protective measures such as those enforced in WAFs and at the platform level remain operational. The vulnerability has been addressed in version 2.57.1, emphasizing the importance of updating to maintain application security.

Affected Version(s)

kit < 2.57.1

References

https://github.com/sveltejs/kit/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86b...
x_refsource_MISC
https://github.com/sveltejs/kit/releases/tag/@sveltejs/ki...
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.