The Node adapter for Astro, @astrojs/node, mishandles requests that contain a malformed if-match header when fetching static JavaScript or CSS assets from the _astro path. Instead of returning the expected 412 Pre‑condition Failed response, the server issues a 500 Internal Server Error with a cache-control header that allows the error to be cached for one year. This cache poisoning causes every subsequent request to that asset—regardless of any subsequent if-match header—to be served the cached 500 response until the expiration period elapses. The practical effect is a denial of service for the affected resource and widespread availability degradation for the entire site.

All installations using the withastro:astro framework with the Node adapter at a version earlier than 10.0.5 are susceptible. This includes any production or staging environment deploying SSR sites via @astrojs/node that have not applied the fix released in version 10.0.5.

The vulnerability carries a CVSS score of 5.3, indicating a moderate severity, and an EPSS score of less than 1 %, meaning the likelihood of exploitation in the wild is low. It is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending crafted HTTP requests with malformed if-match headers to an affected asset URL. No privileged authentication or code execution is required; the exploit is purely remote and functional. The primary consequence is the prolonged unavailability of the requested assets due to cached 500 responses.