CVE-2026-40074
EPSS 0.06%@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
Published: 4/10/2026Modified: 4/10/2026
Also known as:GHSA-3f6h-2hrp-w5wx
Description
`redirect`, when called from inside the `handle` server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled `TypeError`. This could result in DoS on some platforms, especially if the location passed to `redirect` contains unsanitized user input.
Affected packages (1)
- npm/@sveltejs/kitfrom 0, < 2.57.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-40074
- PATCHhttps://github.com/sveltejs/kit
- WEBhttps://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd
- WEBhttps://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
- WEBhttps://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]
- WEBhttps://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx