@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
- Severity:
- Medium
Description
redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input.
Recommendation
Update the @sveltejs/kit package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.57.0
- Patched version(s): 2.57.1
References
Related Issues
- @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
- jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
- liquidjs has a Denial of Service via circular block reference in layout - CVE-2026-41311
- Parse Server: Denial of Service via unindexed database query for unconfigured auth providers - CVE-2026-33538
You might also like:
- Tags:
- npm
- @sveltejs/kit
Anything's wrong? Let us know Last updated on April 10, 2026