CVE-2026-40073
EPSS 0.09%@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass
Published: 4/10/2026Modified: 4/10/2026
Also known as:GHSA-2crg-3p73-43xp
Description
Under certain circumstances, requests could bypass the `BODY_SIZE_LIMIT` on SvelteKit applications running with `adapter-node`. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected.
Affected packages (1)
- npm/@sveltejs/kitfrom 0, < 2.57.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-40073
- PATCHhttps://github.com/sveltejs/kit
- WEBhttps://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95
- WEBhttps://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
- WEBhttps://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]
- WEBhttps://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp