DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40074: CVE-2026-40074: Denial of Service via Unhandled Exceptions in SvelteKit Redirects

#security #cve #cybersecurity

CVE-2026-40074: Denial of Service via Unhandled Exceptions in SvelteKit Redirects

Vulnerability ID: CVE-2026-40074
CVSS Score: 6.3
Published: 2026-04-10

SvelteKit versions prior to 2.57.1 are vulnerable to a Denial of Service (DoS) condition due to improper handling of exceptional conditions in the redirect() function. When supplied with invalid HTTP header characters, the underlying JavaScript runtime throws a TypeError that terminates the process or hangs the request.

TL;DR

A DoS vulnerability in SvelteKit < 2.57.1 allows attackers to crash the server or hang requests by injecting invalid HTTP header characters (like CRLF) into the location parameter of the redirect() function.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-755
  • Attack Vector: Network
  • CVSS 4.0 Score: 6.3 (Medium)
  • Impact: Denial of Service (DoS)
  • Exploit Status: Proof of Concept (PoC)
  • Vulnerable Component: redirect() function / internal_respond

Affected Systems

  • SvelteKit
  • Node.js (underlying runtime impact)
  • Bun (underlying runtime impact)
  • Deno (underlying runtime impact)
  • SvelteKit: < 2.57.1 (Fixed in: 2.57.1)

Code Analysis

Commit: 10d7b44

safer redirects

Adds validation in internal index.js using `new Headers({ location })` and adds a try...catch block in server/respond.js falling back to `handle_fatal_error`.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Framework Test Suite: Test case demonstrating the crash via request.get('/redirect/in-handle?location=%2Fredirect%2Fc%0D%0Aset-cookie%3A%20evil%3D1')

Mitigation Strategies

  • Upgrade @sveltejs/kit to a patched version (2.57.1+).
  • Implement application-level input sanitization for any user-provided redirect destinations.
  • Ensure production deployments utilize process managers (like PM2 or container orchestration) to automatically recover from unhandled exceptions.
  • Deploy WAF rules to block incoming requests containing CRLF sequences in query parameters.

Remediation Steps:

  1. Identify all instances of redirect() calls in the SvelteKit application.
  2. Trace the data flow to determine if untrusted user input can reach the location parameter.
  3. Update the @sveltejs/kit dependency to version 2.57.1 by running npm update @sveltejs/kit or equivalent.
  4. Run the application test suite to ensure the upgrade does not introduce regressions.
  5. Deploy the updated application to production environments.

References

Read the full report for CVE-2026-40074 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)