Description
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
Published: 2026-04-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial-of-Service
Action: Immediate Patch
AI Analysis

Impact

A bug in SvelteKit’s handle server hook allows an unhandled TypeError when the redirect helper is called with a location string that contains characters invalid for an HTTP header. This error terminates the request processing and can disable the application on affected platforms, resulting in a denial of service. The flaw stems from inadequate validation of user‑supplied input that is passed to redirect, making the application vulnerable to formatted header attacks. The underlying weakness is identified as CWE‑755, a usability error where a default behaviour causes unintended effects.

Affected Systems

The vulnerability affects all installations of the SvelteKit framework before version 2.57.1. Users running sveltejs:kit with any earlier release are at risk. The impact applies to the entire application runtime, as the unhandled exception can bring services down if not properly isolated.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity. An attacker can exploit the flaw by sending an HTTP request that reaches the handle hook and includes a crafted location value with invalid header characters. The attack vector is likely remote, as the trigger occurs during normal request handling. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation yet. However, the potential for service disruption warrants prompt action.

Generated by OpenCVE AI on April 10, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SvelteKit to version 2.57.1 or later, which contains the fix for the redirect validation issue.

Generated by OpenCVE AI on April 10, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3f6h-2hrp-w5wx @sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
History

Wed, 15 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:svelte:kit:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte kit
Vendors & Products Svelte
Svelte kit

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.
Title SvelteKit's invalidated redirect in handle hook causes Denial-of-Service
Weaknesses CWE-755
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L'}

Subscriptions

Svelte Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T14:17:29.422Z

Reserved: 2026-04-09T00:39:12.205Z

Link: CVE-2026-40074

cve-icon Vulnrichment

Updated: 2026-04-14T14:17:24.206Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:12.513

Modified: 2026-04-15T19:01:50.630

Link: CVE-2026-40074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:22Z

Weaknesses