Volerion logoVolerion
Volerion logoVolerion

SvelteKit Unvalidated Redirect in Handle Hook Causes Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in SvelteKit versions prior to 2.57.1. The issue arises from the `redirect` function, which, when used within the `handle` server hook, can lead to an unhandled TypeError. This problem is particularly pronounced on platforms where the redirect location includes unsanitized user input, potentially causing a server crash.

Impact

Exploiting this vulnerability can lead to a server crash, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, create a SvelteKit application and use the `handle` server hook. Within this hook, call the `redirect` function and pass a location parameter that includes characters invalid in HTTP headers, such as newline characters or certain punctuation. This will trigger an unhandled TypeError, causing a denial-of-service condition on the server.

Remediation

Users can upgrade to SvelteKit version 2.57.1 or later, where this vulnerability has been patched.

Added: Apr 10, 2026, 5:40 PM
Updated: Apr 10, 2026, 5:40 PM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
2.5
exploitability
9.3
remediation
7.7
relevance
5.3
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.