Fluid Attacks Database

Description

@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	@sveltejs/kit	>=0 <2.57.1	2.57.1

Aliases

1. CVE-2026-400742. NVD-2026-400743. OSV-2026-400744. GHSA-3f6h-2hrp-w5wx5. GCVE-2026-40074

References

1. https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx2. https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd3. https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.14. https://github.com/sveltejs/kit/releases/tag/@sveltejs/[email protected]

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.