CVE-2026-40074 — @sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service

Description

`redirect`, when called from inside the `handle` server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled `TypeError`. This could result in DoS on some platforms, especially if the location passed to `redirect` contains unsanitized user input.

How to fix CVE-2026-40074

To remediate CVE-2026-40074, upgrade the affected package to a fixed version below.

npm/@sveltejs/kit—upgrade to 2.57.1 or later

Is CVE-2026-40074 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.57.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40074
PATCHgithub.com/sveltejs/kit
WEBgithub.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd
WEBgithub.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1