CVE-2026-27729

Exploit

EPSS 0.08%
Veröffentlicht 24.02.2026 01:16:15
Zuletzt bearbeitet 25.02.2026 15:19:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Astro ≫ @astrojs/node SwPlatformnode.js Version >= 9.0.0 < 9.5.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.235

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4

Product

Release Notes

https://github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8

Patch

https://github.com/withastro/astro/pull/15564

Issue Tracking

https://github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-27729

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27729

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27729

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27729