CVE-2026-40074
TypeError DoS in SvelteKit handle Hook via Malformed Redirect
Publication date: 2026-04-10
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| svelte | kit | to 2.57.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-755 | The product does not handle or incorrectly handles an exceptional condition. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in SvelteKit (CVE-2026-40074) causes a denial-of-service (DoS) condition by triggering an unhandled TypeError when invalid characters are present in the redirect location parameter. It impacts availability but does not affect confidentiality or integrity of data.
Since the vulnerability does not lead to unauthorized access, data leakage, or data modification, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or sensitive data.
However, the DoS condition could affect service availability, which may indirectly impact compliance if availability is a regulatory requirement or part of a service level agreement.
Can you explain this vulnerability to me?
CVE-2026-40074 is a moderate severity vulnerability in the SvelteKit framework versions up to 2.57.0. It occurs when the redirect function is called inside the handle server hook with a location parameter containing characters invalid in HTTP headers. This causes an unhandled TypeError, leading to a denial-of-service (DoS) condition on some platforms.
The root cause is the lack of validation or sanitization of the location parameter before it is used in HTTP headers. If an attacker supplies crafted input with invalid characters, it triggers an unhandled exception that disrupts the service.
The vulnerability was fixed in version 2.57.1 by adding strict validation of redirect locations to prevent invalid characters and by improving error handling to avoid server crashes.
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition by crashing or disrupting the SvelteKit server when it processes a redirect with an invalid location parameter.
An attacker can remotely exploit this issue without any privileges or user interaction by sending crafted input containing invalid characters in the redirect location.
The impact is primarily on availability, as the service may become unavailable or unstable due to unhandled exceptions triggered by malicious redirect inputs.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unhandled TypeErrors or server crashes caused by invalid characters in HTTP redirect locations within the SvelteKit handle server hook.
Specifically, look for requests that include redirect location parameters containing characters invalid in HTTP headers, such as carriage return (CR) or line feed (LF) characters.
You can detect attempts to exploit this vulnerability by inspecting server logs for errors related to redirect failures or by capturing HTTP requests with suspicious redirect location parameters.
Suggested commands include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP requests with suspicious redirect parameters, for example:
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'location='
- grep -r 'redirect(' your-sveltekit-server-logs/ | grep -E '\\r|\\n|\x0d|\x0a'
Additionally, monitoring for HTTP 500 errors in server logs related to redirect handling may indicate attempts to trigger this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate step to mitigate this vulnerability is to upgrade the @sveltejs/kit package to version 2.57.1 or later, where the issue has been fixed.
This update includes strict validation of redirect location parameters to prevent invalid characters in HTTP headers, preventing unhandled exceptions and potential denial-of-service.
If upgrading immediately is not possible, as a temporary mitigation, ensure that any user input used in redirect locations is properly sanitized to exclude characters invalid in HTTP headers, such as CR and LF.
Also, monitor server logs for errors related to redirects and consider implementing rate limiting or input validation at the application or web server level to reduce the risk of exploitation.