CVE-2026-40073 Overview
CVE-2026-40073 is a Resource Exhaustion vulnerability affecting SvelteKit, a popular framework for building web applications using Svelte. Prior to version 2.57.1, certain HTTP requests could bypass the BODY_SIZE_LIMIT configuration when SvelteKit applications are deployed with adapter-node. This bypass allows attackers to send oversized request bodies that exceed the intended limits, potentially leading to denial of service conditions through memory or resource exhaustion.
Critical Impact
Attackers can bypass body size limits in SvelteKit applications using adapter-node, potentially causing resource exhaustion and denial of service. While WAF, gateway, or platform-level limits remain effective, applications relying solely on SvelteKit's BODY_SIZE_LIMIT are vulnerable.
Affected Products
- SvelteKit versions prior to 2.57.1
- Applications deployed with adapter-node
- Node.js environments running vulnerable SvelteKit versions
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-40073 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-40073
Vulnerability Analysis
This vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) exists in SvelteKit's request body parsing logic within the adapter-node module. The flaw stems from improper validation of the content-length header when determining whether to apply body size restrictions.
The core issue lies in how the framework checks for the presence of a content-length header. The original code used isNaN(content_length) to determine if the header was absent or invalid. However, this check fails to properly handle certain edge cases where content_length evaluates to values that pass the isNaN() check but don't represent valid finite content lengths.
When an attacker crafts a request with a malformed or specially constructed content-length header, the body size limit check can be bypassed entirely, allowing arbitrarily large request bodies to be processed by the server.
Root Cause
The vulnerability originates from insufficient validation in the content-length header parsing logic in packages/kit/src/exports/node/index.js. The use of isNaN() for checking content-length validity is inadequate because it doesn't catch all cases of non-finite numbers (such as Infinity or -Infinity). The fix replaces this with Number.isFinite(), which provides stricter validation by ensuring the content-length is a proper finite number.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without authentication. The attack requires:
- Identifying a SvelteKit application running with adapter-node
- Crafting HTTP requests with malformed content-length headers that bypass the isNaN() check
- Sending oversized request bodies that exceed the configured BODY_SIZE_LIMIT
- Potentially exhausting server memory or resources through repeated large requests
}
const content_length = Number(h['content-length']);
+ const has_content_length = Number.isFinite(content_length);
// check if no request body
if (
- (req.httpVersionMajor === 1 && isNaN(content_length) && h['transfer-encoding'] == null) ||
+ (req.httpVersionMajor === 1 && !has_content_length && h['transfer-encoding'] == null) ||
content_length === 0
) {
return null;
Source: GitHub Commit
Detection Methods for CVE-2026-40073
Indicators of Compromise
- Unusual spikes in server memory usage on SvelteKit applications
- HTTP requests with malformed or abnormally large content-length headers
- Server crashes or restarts due to memory exhaustion
- Log entries showing requests with atypical content-length values (e.g., Infinity, extremely large numbers)
Detection Strategies
- Monitor application logs for requests with unusual content-length header values
- Implement server-side monitoring for memory consumption anomalies
- Review WAF logs for blocked requests with oversized bodies that may indicate exploitation attempts
- Audit application dependencies to identify vulnerable SvelteKit versions below 2.57.1
Monitoring Recommendations
- Enable detailed HTTP request logging to capture content-length header values
- Set up alerts for memory usage thresholds on Node.js application servers
- Monitor request throughput for abnormal patterns indicative of DoS attempts
- Implement rate limiting at the infrastructure level as an additional safeguard
How to Mitigate CVE-2026-40073
Immediate Actions Required
- Upgrade SvelteKit to version 2.57.1 or later immediately
- Review application configurations to ensure BODY_SIZE_LIMIT is properly set
- Verify that WAF or gateway-level body size limits are in place as defense-in-depth
- Audit server logs for any evidence of prior exploitation attempts
Patch Information
The vulnerability has been addressed in SvelteKit version 2.57.1. The fix replaces the isNaN() check with Number.isFinite() to properly validate content-length headers before body size limit enforcement. Administrators should update their applications using npm or yarn package managers.
For more details, see the GitHub Security Advisory and release notes.
Workarounds
- Implement body size limits at the reverse proxy or load balancer level (e.g., nginx client_max_body_size)
- Configure WAF rules to reject requests with abnormally large or malformed content-length headers
- Apply rate limiting to mitigate potential DoS impact while awaiting patching
- Consider temporarily disabling endpoints that accept large file uploads if exploitation is suspected
# Configuration example - nginx body size limit
# Add to nginx server or location block as defense-in-depth
client_max_body_size 10M;
# Upgrade SvelteKit to patched version
npm update @sveltejs/kit@2.57.1
# or
yarn upgrade @sveltejs/kit@2.57.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
