CVE-2026-40073: CWE-770: Allocation of Resources Without Limits or Throttling in sveltejs kit
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
AI Analysis
Technical Summary
SvelteKit, a web application framework using Svelte, had a vulnerability (CVE-2026-40073) in versions before 2.57.1 where the internal BODY_SIZE_LIMIT could be bypassed under certain conditions when using adapter-node. This allowed requests to allocate resources beyond intended limits within the application framework. External body size limits at other layers remain effective. The issue is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability has a CVSS 4.0 score of 8.2 (high severity) and was published on April 10, 2026. No known exploits in the wild have been reported. The vulnerability is fixed in SvelteKit 2.57.1.
Potential Impact
The vulnerability allows attackers to bypass the internal body size limit in SvelteKit applications running with adapter-node, potentially leading to resource exhaustion or denial of service conditions within the application. However, body size limits enforced by external components such as WAFs, gateways, or platform-level protections are not affected. No known active exploitation has been reported.
Mitigation Recommendations
Upgrade SvelteKit to version 2.57.1 or later, where this vulnerability is fixed. Since this is not a cloud service, remediation depends on applying the official patch. If upgrading immediately is not possible, ensure that external body size limits (e.g., via WAF or gateway) are properly configured to mitigate risk. Patch status is not explicitly stated beyond the fix in 2.57.1, so check the vendor advisory for the latest remediation guidance.
CVE-2026-40073: CWE-770: Allocation of Resources Without Limits or Throttling in sveltejs kit
Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SvelteKit, a web application framework using Svelte, had a vulnerability (CVE-2026-40073) in versions before 2.57.1 where the internal BODY_SIZE_LIMIT could be bypassed under certain conditions when using adapter-node. This allowed requests to allocate resources beyond intended limits within the application framework. External body size limits at other layers remain effective. The issue is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability has a CVSS 4.0 score of 8.2 (high severity) and was published on April 10, 2026. No known exploits in the wild have been reported. The vulnerability is fixed in SvelteKit 2.57.1.
Potential Impact
The vulnerability allows attackers to bypass the internal body size limit in SvelteKit applications running with adapter-node, potentially leading to resource exhaustion or denial of service conditions within the application. However, body size limits enforced by external components such as WAFs, gateways, or platform-level protections are not affected. No known active exploitation has been reported.
Mitigation Recommendations
Upgrade SvelteKit to version 2.57.1 or later, where this vulnerability is fixed. Since this is not a cloud service, remediation depends on applying the official patch. If upgrading immediately is not possible, ensure that external body size limits (e.g., via WAF or gateway) are properly configured to mitigate risk. Patch status is not explicitly stated beyond the fix in 2.57.1, so check the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T00:39:12.204Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9d9721cc7ad14da3f8643
Added to database: 4/11/2026, 5:17:38 AM
Last enriched: 4/11/2026, 5:18:36 AM
Last updated: 4/11/2026, 3:12:10 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.