CVE-2026-40074
EPSS 0.06%@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
發布日:2026/4/10修改日:2026/4/10
描述
`redirect`, when called from inside the `handle` server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled `TypeError`. This could result in DoS on some platforms, especially if the location passed to `redirect` contains unsanitized user input.
受影響套件(1)
- npm/@sveltejs/kitfrom 0, < 2.57.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-40074
- PATCHhttps://github.com/sveltejs/kit
- WEBhttps://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd
- WEBhttps://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
- WEBhttps://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]
- WEBhttps://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx