@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
- Severity:
- Medium
Description
redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input.
Recommendation
Update the @sveltejs/kit package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.57.0
- Patched version(s): 2.57.1
References
Related Issues
- jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
- @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
- Cube Core is vulnerable to Denial of Service (DoS) via crafted request - CVE-2026-25957
- jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - CVE-2026-24001
You might also like:
- Tags:
- npm
- @sveltejs/kit
Anything's wrong? Let us know Last updated on April 10, 2026


