Primary

Context

SvelteKit BODY_SIZE_LIMIT Bypass Vulnerability in Adapter-Node

Vulnerability

Patched

A vulnerability in SvelteKit applications using adapter-node, prior to version 2.57.1, allowed certain requests to bypass the BODY_SIZE_LIMIT. This issue does not impact body size limits enforced at other layers, such as in the WAF, gateway, or platform level.

Impact

Exploitation of this vulnerability could lead to a denial-of-service condition by allowing requests to exceed the intended body size limit, potentially causing the application to handle excessively large payloads improperly.

Reproduction

The vulnerability can be reproduced by sending a chunked HTTP request that exceeds the BODY_SIZE_LIMIT while using the SvelteKit adapter-node. The application will not enforce the size limit, allowing the request to be processed despite its large size.

Remediation

Users can upgrade to SvelteKit version 2.57.1 or later, where this vulnerability has been fixed.

Added: Apr 10, 2026, 5:43 PM

Updated: Apr 10, 2026, 5:43 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

7.4

remediation

7.7

relevance

5.7

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

7.4

remediation

7.7

relevance

5.7

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SvelteKit BODY_SIZE_LIMIT Bypass Vulnerability in Adapter-Node

Vulnerability

Impact

Reproduction

Remediation

Affected Products

@sveltejs/kit

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating