Svelte Framework Redirect Vulnerability in SvelteKit
CVE-2026-40074

6.3MEDIUM

Key Information:

Vendor

Sveltejs

Status
Kit
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40074?

SvelteKit, a framework designed for building high-performance web applications using Svelte, is susceptible to a vulnerability in its redirect functionality. When the redirect method is invoked within the handle server hook, an improper handling of invalid characters in the location parameter can result in an unhandled TypeError. This scenario poses a risk of Denial of Service (DoS), particularly if the location used includes unsanitized user input. This vulnerability is addressed in version 2.57.1, which eliminates the potential for disruption during application redirect processes.

Affected Version(s)

kit < 2.57.1

References

https://github.com/sveltejs/kit/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/sveltejs/kit/commit/10d7b44425c3d9da64...
x_refsource_MISC
https://github.com/sveltejs/kit/releases/tag/@sveltejs/ki...
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.