Description
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.
Published: 2026-03-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from Astro's Server Islands POST handler, which buffers and parses the entire request body as JSON without a size restriction. Because JSON.parse allocates a V8 heap object for every element in the input, an attacker can send a crafted payload containing many small JSON objects that amplifies memory consumption roughly fifteen times the amount of raw data. When the payload triggers a heap exhaustion, the Node.js process crashes, denying service. This flaw is represented by CWE‑770 and allows unauthenticated attackers to cause a denial of service by exhausting server memory.

Affected Systems

Astro implementations using the Node standalone adapter are affected. The /_server‑islands/[name] route is present on all Astro SSR applications, regardless of whether any component uses server:defer, meaning that any Astro SSR app built with Node adapter and running a version earlier than 10.0.0 falls within the scope. Vendors: withastro:astro. Products: Astro web framework, versions up to 9.x, any SaaS sites or self‑hosted deployments using Node.

Risk and Exploitability

The CVSS score is 5.9, indicating a medium severity. EPSS is below 1%, suggesting that known exploitation probability is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending an unauthenticated HTTP POST request to the /_server‑islands endpoint with a large JSON payload. The attack requires no special credentials and bypasses validation checks because the body is parsed before the island name is validated. Therefore, protecting the service by patching or limiting request size is essential to mitigate the risk.

Generated by OpenCVE AI on March 26, 2026 at 02:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Astro to version 10.0.0 or later.
  • If an upgrade is not feasible, enforce request size limits at the application or reverse proxy level.
  • After applying the patch or implementing limits, restart the Astro server to clear allocated memory.

Generated by OpenCVE AI on March 26, 2026 at 02:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3rmj-9m5h-8fpv Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands
History

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Astro
Astro \@astrojs\/node
CPEs cpe:2.3:a:astro:\@astrojs\/node:*:*:*:*:*:node.js:*:*
Vendors & Products Astro
Astro \@astrojs\/node

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Withastro
Withastro astro
Vendors & Products Withastro
Withastro astro

Tue, 24 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.
Title Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Astro \@astrojs\/node
Withastro Astro
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T20:17:11.483Z

Reserved: 2026-03-04T16:26:02.897Z

Link: CVE-2026-29772

cve-icon Vulnrichment

Updated: 2026-03-24T20:16:33.223Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T19:16:51.153

Modified: 2026-03-25T21:48:16.560

Link: CVE-2026-29772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:18:53Z

Weaknesses