Description
Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix.
Published: 2026-02-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (memory exhaustion)
Action: Apply Patch
AI Analysis

Impact

Astro is a JavaScript web framework that uses server actions to process incoming requests. In versions 9.0.0 through 9.5.3, the framework’s Node adapter has no default limit on request body size for server actions. An attacker can send a single oversized POST to an exposed action endpoint, causing the entire request body to be buffered in memory. The unbounded buffer can exhaust the process heap and crash the server, resulting in a denial‑of‑service condition.

Affected Systems

The vulnerability affects the Astro web framework (maintained by withastro). All releases from 9.0.0 up to and including 9.5.3 are vulnerable. Version 9.5.4 contains a fix that enforces a request size limit. Users deploying Astro with the Node adapter in standalone mode are at risk, especially in containerised environments where the crashed process is automatically restarted.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate severity. EPSS is below 1 %, so the likelihood of exploitation is low, and the issue is not listed in the CISA KEV catalogue. Nonetheless, the lack of authentication on server action endpoints means an unauthenticated attacker can trigger the DoS by simply posting a large request. In containerised deployments, the repeated crash and restart cycle can keep the application unavailable over time.

Generated by OpenCVE AI on April 17, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Astro to 9.5.4 or later.
  • If upgrading is not possible, set a request body size limit in the Node adapter or add middleware to reject oversized payloads before they reach server actions.
  • Disable or secure server actions on public pages so only authenticated users can invoke them.

Generated by OpenCVE AI on April 17, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jm64-8m5q-4qh8 Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
History

Wed, 25 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Astro
Astro \@astrojs\/node
CPEs cpe:2.3:a:astro:\@astrojs\/node:*:*:*:*:*:node.js:*:*
Vendors & Products Astro
Astro \@astrojs\/node

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Withastro
Withastro astro
Vendors & Products Withastro
Withastro astro

Tue, 24 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Description Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix.
Title Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Astro \@astrojs\/node
Withastro Astro
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:59:37.450Z

Reserved: 2026-02-23T18:37:14.789Z

Link: CVE-2026-27729

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:15.700

Modified: 2026-02-25T15:19:42.290

Link: CVE-2026-27729

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses