CVE-2026-40074
Published: 10 April 2026
Summary
CVE-2026-40074 is a high-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Svelte Kit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper handling of exceptional conditions (CWE-755) by requiring error handling procedures that prevent unhandled TypeErrors from invalid redirect locations causing DoS.
Mandates input validation at entry points to sanitize user-supplied data passed to the redirect function, blocking invalid HTTP header characters before they trigger exceptions.
Requires timely identification, reporting, and patching of the SvelteKit flaw fixed in version 2.57.1, eliminating the vulnerable redirect behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a public-facing web application (T1190) to cause denial-of-service via application or system exploitation (T1499.004) by triggering an unhandled exception in the redirect function.
NVD Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause…
more
an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
Deeper analysisAI
CVE-2026-40074 affects SvelteKit, a framework for building robust web applications with Svelte, in versions prior to 2.57.1. The vulnerability arises when the redirect function is invoked from within the handle server hook using a location parameter that includes characters invalid for HTTP headers. This triggers an unhandled TypeError, which can disrupt application availability. The issue is classified under CWE-755 (Improper Handling of Exceptional Conditions) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption without requiring authentication or user interaction.
Attackers can exploit this remotely over the network with low complexity by supplying malicious input to the location parameter, particularly if applications pass unsanitized user data to the redirect function in the handle server hook. Successful exploitation results in a denial-of-service condition on affected platforms, crashing the server process and potentially halting service until restart. No privileges or user interaction are needed, making it accessible to unauthenticated remote actors.
The SvelteKit security advisory (GHSA-3f6h-2hrp-w5wx) and release notes for version 2.57.1 detail the fix, implemented via commit 10d7b44425c3d9da642eecce373d0c6ef83b4fcd. Security practitioners should upgrade to SvelteKit 2.57.1 or later to mitigate the issue, and review applications for unsanitized user input in redirect locations within handle hooks.
Details
- CWE(s)