GHSA-3f6h-2hrp-w5wx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3f6h-2hrp-w5wx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3f6h-2hrp-w5wx/GHSA-3f6h-2hrp-w5wx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3f6h-2hrp-w5wx
- Aliases
-
- CVE-2026-40074
- Published
- 2026-04-10T17:32:00Z
- Modified
- 2026-04-10T20:03:55.059697Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L CVSS Calculator
- Summary
- @sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
- Details
-
redirect, when called from inside thehandleserver hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandledTypeError. This could result in DoS on some platforms, especially if the location passed toredirectcontains unsanitized user input. - Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2026-04-10T17:17:12Z", "cwe_ids": [ "CWE-755" ], "github_reviewed_at": "2026-04-10T17:32:00Z" }- References
-
- https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx
- https://nvd.nist.gov/vuln/detail/CVE-2026-40074
- https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd
- https://github.com/sveltejs/kit
- https://github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
- https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1
Affected packages
npm / @sveltejs/kit
Package
- Name
- @sveltejs/kit
- View open source insights on deps.dev
- Purl
- pkg:npm/%40sveltejs/kit