DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40073: CVE-2026-40073: Unrestricted Resource Allocation in SvelteKit adapter-node via Chunked Transfer Encoding

#security #cve #cybersecurity

CVE-2026-40073: Unrestricted Resource Allocation in SvelteKit adapter-node via Chunked Transfer Encoding

Vulnerability ID: CVE-2026-40073
CVSS Score: 8.2
Published: 2026-04-10

SvelteKit's adapter-node fails to enforce the configured BODY_SIZE_LIMIT for incoming requests utilizing chunked transfer encoding. This logic error allows unauthenticated remote attackers to send arbitrarily large request bodies, bypassing internal framework protections and leading to memory exhaustion and server denial of service.

TL;DR

A flaw in SvelteKit allows attackers to bypass BODY_SIZE_LIMIT via chunked transfer encoding, resulting in uncontrolled memory allocation and Denial of Service.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS v4.0 Score: 8.2 (High)
  • Impact: Denial of Service
  • Exploit Status: PoC Available
  • Affected Component: @sveltejs/adapter-node
  • Remediation: Upgrade to 2.57.1

Affected Systems

  • SvelteKit framework
  • Node.js server applications utilizing @sveltejs/adapter-node
  • @sveltejs/kit: < 2.57.1 (Fixed in: 2.57.1)

Code Analysis

Commit: 3202ed6

Fix: Implement independent verification for body_size_limit decoupling from Content-Length header

Exploit Details

  • Internal Test Suite: Proof of concept demonstrating bypass of BODY_SIZE_LIMIT via continuous Node.js HTTP request chunks.

Mitigation Strategies

  • Upgrade @sveltejs/kit to a patched version
  • Enforce maximum request body size at the WAF or API gateway layer
  • Configure client_max_body_size in Nginx to terminate oversized streams early

Remediation Steps:

  1. Identify all projects utilizing @sveltejs/kit with adapter-node.
  2. Update the package.json dependency to specifically require @sveltejs/kit version 2.57.1 or higher.
  3. Execute the appropriate package manager installation command (e.g., npm install or yarn install).
  4. Redeploy the application service to active environments.
  5. Verify the internal BODY_SIZE_LIMIT environmental parameter is set to appropriately restrict standard request logic.

References

Read the full report for CVE-2026-40073 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)