{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sveltekit/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-40073"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sveltekit","denial-of-service","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA high-severity vulnerability, CVE-2026-40073, affects SvelteKit applications using \u003ccode\u003e@sveltejs/adapter-node\u003c/code\u003e versions 2.57.0 and earlier. This vulnerability allows requests to bypass the intended \u003ccode\u003eBODY_SIZE_LIMIT\u003c/code\u003e, potentially leading to resource exhaustion and denial-of-service conditions. The bypass occurs specifically within the adapter itself and does not impact body size limits enforced by other layers such as Web Application Firewalls (WAFs), gateways, or platform-level configurations. Successful exploitation could allow an attacker to send arbitrarily large requests, overwhelming the server and causing it to become unresponsive. The vulnerability was patched in version 2.57.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a SvelteKit application using a vulnerable version of \u003ccode\u003e@sveltejs/adapter-node\u003c/code\u003e (\u0026lt;= 2.57.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request with a body exceeding the configured \u003ccode\u003eBODY_SIZE_LIMIT\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the adapter fails to enforce the size limit on the request body.\u003c/li\u003e\n\u003cli\u003eThe oversized request is processed by the SvelteKit application.\u003c/li\u003e\n\u003cli\u003eThe application consumes excessive server resources (CPU, memory) while handling the oversized request.\u003c/li\u003e\n\u003cli\u003eThe server becomes overloaded and unresponsive due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to access the application, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition, rendering the SvelteKit application unavailable to legitimate users. The number of affected applications is potentially large, given the popularity of SvelteKit for web development. Sectors utilizing SvelteKit for their web applications are all potentially at risk. If exploited, the application’s server can become overloaded causing a significant impact to availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@sveltejs/kit\u003c/code\u003e to version 2.57.1 or later to remediate CVE-2026-40073.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusually large HTTP request sizes, using a rule such as the example Sigma rule below.\u003c/li\u003e\n\u003cli\u003eImplement or reinforce body size limits at other layers of the application stack (e.g., WAF, gateway) to provide defense-in-depth.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-sveltekit-body-bypass/","summary":"A vulnerability exists in @sveltejs/adapter-node where requests could bypass the `BODY_SIZE_LIMIT` on SvelteKit applications, potentially leading to denial of service.","title":"@sveltejs/adapter-node BODY_SIZE_LIMIT Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-sveltekit-body-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Sveltekit","version":"https://jsonfeed.org/version/1.1"}