CVE-2026-40073 — @sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass

Description

Under certain circumstances, requests could bypass the `BODY_SIZE_LIMIT` on SvelteKit applications running with `adapter-node`. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected.

How to fix CVE-2026-40073

To remediate CVE-2026-40073, upgrade the affected package to a fixed version below.

npm/@sveltejs/kit—upgrade to 2.57.1 or later

Is CVE-2026-40073 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.57.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40073
PATCHgithub.com/sveltejs/kit
WEBgithub.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95
WEBgithub.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1