Fluid Attacks Database

Description

@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass Under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	@sveltejs/kit	>=0 <2.57.1	2.57.1

Aliases

1. CVE-2026-400732. NVD-2026-400733. OSV-2026-400734. GHSA-2crg-3p73-43xp5. GCVE-2026-40073

References

1. https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp2. https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b953. https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.14. https://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.