Description
Under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected.
Recommendation
Update the @sveltejs/kit package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.57.0
- Patched version(s): 2.57.1
References
Related Issues
- Astro has memory exhaustion DoS due to missing request body size limit in Server Actions - CVE-2026-27729
- Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
- LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter - CVE-2026-34166
- Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands - CVE-2026-29772
You might also like:
- Tags:
- npm
- @sveltejs/kit
Anything's wrong? Let us know Last updated on April 10, 2026