CVE-2026-40073: CWE-770: Allocation of Resources Without Limits or Throttling in sveltejs kit
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
AI Analysis
Technical Summary
SvelteKit, a web application framework using Svelte, had a vulnerability (CWE-770) where requests could circumvent the configured BODY_SIZE_LIMIT in applications running with adapter-node. This flaw allows attackers to send larger request bodies than intended, potentially causing resource exhaustion or denial of service. The issue is specific to the adapter-node environment and does not impact body size limits enforced by external layers like WAFs or platform-level controls. The vulnerability is addressed in version 2.57.1 of SvelteKit.
Potential Impact
The vulnerability allows attackers to bypass the BODY_SIZE_LIMIT in SvelteKit applications using adapter-node, which can lead to uncontrolled resource consumption. This may degrade application performance or cause denial of service. Other layers enforcing body size limits remain effective, limiting the scope of impact if such protections are in place.
Mitigation Recommendations
Upgrade SvelteKit to version 2.57.1 or later, where this vulnerability is fixed. If upgrading immediately is not possible, ensure that body size limits are enforced at other layers such as web application firewalls, gateways, or platform-level controls to mitigate risk. Patch status is not explicitly stated in the vendor advisory, but the description confirms the fix is included in version 2.57.1.
CVE-2026-40073: CWE-770: Allocation of Resources Without Limits or Throttling in sveltejs kit
Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SvelteKit, a web application framework using Svelte, had a vulnerability (CWE-770) where requests could circumvent the configured BODY_SIZE_LIMIT in applications running with adapter-node. This flaw allows attackers to send larger request bodies than intended, potentially causing resource exhaustion or denial of service. The issue is specific to the adapter-node environment and does not impact body size limits enforced by external layers like WAFs or platform-level controls. The vulnerability is addressed in version 2.57.1 of SvelteKit.
Potential Impact
The vulnerability allows attackers to bypass the BODY_SIZE_LIMIT in SvelteKit applications using adapter-node, which can lead to uncontrolled resource consumption. This may degrade application performance or cause denial of service. Other layers enforcing body size limits remain effective, limiting the scope of impact if such protections are in place.
Mitigation Recommendations
Upgrade SvelteKit to version 2.57.1 or later, where this vulnerability is fixed. If upgrading immediately is not possible, ensure that body size limits are enforced at other layers such as web application firewalls, gateways, or platform-level controls to mitigate risk. Patch status is not explicitly stated in the vendor advisory, but the description confirms the fix is included in version 2.57.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T00:39:12.204Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9d9721cc7ad14da3f8643
Added to database: 4/11/2026, 5:17:38 AM
Last enriched: 4/18/2026, 2:36:18 PM
Last updated: 5/26/2026, 6:53:57 PM
Views: 111
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.