CVE-2026-40074: @sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input.
References
- github.com/advisories/GHSA-3f6h-2hrp-w5wx
- github.com/sveltejs/kit
- github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd
- github.com/sveltejs/kit/releases/tag/%40sveltejs%2Fkit%402.57.1
- github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx
- nvd.nist.gov/vuln/detail/CVE-2026-40074
Code Behaviors & Features
Detect and mitigate CVE-2026-40074 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →