FKIE_CVE-2026-27729

Vulnerability from fkie_nvd - Published: 2026-02-24 01:16 - Updated: 2026-02-25 15:19
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix.
References
security-advisories@github.comhttps://github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8Patch
security-advisories@github.comhttps://github.com/withastro/astro/pull/15564Issue Tracking
security-advisories@github.comhttps://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4Product, Release Notes
security-advisories@github.comhttps://github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8Exploit, Third Party Advisory
Impacted products
Vendor Product Version
astro \@astrojs\/node *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:astro:\\@astrojs\\/node:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "4544AFCE-A719-4079-859C-E356B5871A4C",
              "versionEndExcluding": "9.5.4",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit \u2014 a single oversized request is sufficient to exhaust the process heap and crash the server. Astro\u0027s Node adapter (`mode: \u0027standalone\u0027`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix."
    },
    {
      "lang": "es",
      "value": "Astro es un framework web. En las versiones 9.0.0 a 9.5.3, las acciones del servidor de Astro no tienen un l\u00edmite de tama\u00f1o de cuerpo de solicitud predeterminado, lo que puede llevar a una DoS por agotamiento de memoria. Una \u00fanica solicitud POST grande a un endpoint de acci\u00f3n v\u00e1lido puede colapsar el proceso del servidor en despliegues con restricciones de memoria. Los sitios renderizados bajo demanda construidos con Astro pueden definir acciones de servidor, que analizan autom\u00e1ticamente los cuerpos de las solicitudes entrantes (JSON o FormData). El cuerpo se almacena completamente en la memoria sin l\u00edmite de tama\u00f1o \u2014 una \u00fanica solicitud sobredimensionada es suficiente para agotar el heap del proceso y colapsar el servidor. El adaptador de Node de Astro (\u0027mode: \u0027standalone\u0027\u0027) crea un servidor HTTP sin protecci\u00f3n de tama\u00f1o de cuerpo. En entornos contenerizados, el proceso colapsado se reinicia autom\u00e1ticamente, y las solicitudes repetidas causan un bucle persistente de colapso-reinicio. Los nombres de las acciones son detectables a partir de los atributos de los formularios HTML en cualquier p\u00e1gina p\u00fablica, por lo que no se requiere autenticaci\u00f3n. La vulnerabilidad permite la denegaci\u00f3n de servicio no autenticada contra despliegues SSR standalone que utilizan acciones de servidor. Una \u00fanica solicitud sobredimensionada colapsa el proceso del servidor, y las solicitudes repetidas causan un bucle persistente de colapso-reinicio en entornos contenerizados. La versi\u00f3n 9.5.4 contiene una soluci\u00f3n."
    }
  ],
  "id": "CVE-2026-27729",
  "lastModified": "2026-02-25T15:19:42.290",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-24T01:16:15.700",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/withastro/astro/pull/15564"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.