CVE-2026-40073
Published: 10 April 2026
Summary
CVE-2026-40073 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Svelte Kit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the SvelteKit flaw by upgrading to version 2.57.1 directly eliminates the body size limit bypass exploited for resource exhaustion DoS.
Denial-of-service protections limit effects of resource exhaustion attacks like oversized requests bypassing SvelteKit's body size limits.
Restricting input sizes enforces body size limits at the application level, mitigating bypasses that lead to memory or CPU exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing SvelteKit web app allows remote unauthenticated attackers to bypass body size limits for resource exhaustion DoS, directly enabling exploitation of public-facing applications and application/system exploitation for denial of service.
NVD Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other…
more
layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
Deeper analysisAI
CVE-2026-40073 is a vulnerability in SvelteKit, a framework for building robust, performant web applications using Svelte. In versions prior to 2.57.1, requests could bypass the BODY_SIZE_LIMIT under certain circumstances when running SvelteKit applications with the adapter-node. This issue is tied to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.
Unauthenticated attackers with network access can exploit this vulnerability by crafting requests that evade the application's body size restrictions, potentially leading to denial-of-service conditions through resource exhaustion, such as excessive memory or CPU usage. The low attack complexity and lack of required privileges or user interaction make it accessible to remote adversaries targeting exposed SvelteKit adapter-node deployments.
The vulnerability is fixed in SvelteKit 2.57.1, as detailed in the project's security advisory (GHSA-2crg-3p73-43xp), release notes, and associated commit. Other body size limits enforced at the WAF, gateway, or platform levels remain effective and unaffected by this bypass. Security practitioners should upgrade to the patched version and verify configurations for adapter-node usage.
Details
- CWE(s)