CVE-2026-40074

HIGH

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.

CVSS v3.1 Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Complexity

LOW

Privileges

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Published: 4/10/2026Modified: 4/15/2026

Related Intelligence (0)

No articles currently reference this CVE.

References (3)

https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcdPatch https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1ProductRelease Notes https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wxVendor Advisory