Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27729

CVE-2026-27729: Astro @astrojs/node DoS Vulnerability

CVE-2026-27729 is a denial of service vulnerability in Astro @astrojs/node that allows unauthenticated attackers to crash servers via oversized requests. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-27729 Overview

CVE-2026-27729 is a Memory Exhaustion Denial of Service vulnerability affecting the Astro web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which allows unauthenticated attackers to crash server processes by sending oversized POST requests to valid action endpoints. This vulnerability is particularly impactful in memory-constrained environments where a single malicious request can exhaust the process heap.

On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit, making the application susceptible to resource exhaustion attacks. In containerized environments, the crashed process is automatically restarted, and repeated requests can cause a persistent crash-restart loop effectively maintaining the denial of service condition.

Critical Impact

A single oversized POST request can crash the Astro server process. In containerized deployments, repeated requests cause a persistent crash-restart loop, making the service unavailable without authentication requirements.

Affected Products

  • Astro @astrojs/node versions 9.0.0 through 9.5.3
  • Astro Node adapter in standalone mode (mode: 'standalone')
  • SSR (Server-Side Rendered) standalone deployments using server actions

Discovery Timeline

  • 2026-02-24 - CVE CVE-2026-27729 published to NVD
  • 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2026-27729

Vulnerability Analysis

This vulnerability stems from the absence of body size validation in Astro's server action handling. When Astro's Node adapter operates in standalone mode, it creates an HTTP server without any body size protection mechanisms. The parseRequestBody function processes incoming requests without enforcing limits on the payload size, allowing attackers to submit arbitrarily large request bodies.

The attack surface is readily accessible because action names are discoverable from HTML form attributes on any public page. This means no authentication or prior knowledge is required to identify valid action endpoints. Once an attacker identifies an action endpoint, they can craft a single oversized POST request containing JSON or FormData that will be fully buffered into memory before any processing occurs.

The impact is particularly severe in containerized environments where orchestration systems automatically restart crashed processes. An attacker can maintain a persistent denial of service by continuously sending oversized requests, creating a crash-restart loop that prevents legitimate traffic from being served.

Root Cause

The root cause is CWE-770: Allocation of Resources Without Limits or Throttling. Astro's action runtime failed to implement any body size limits when parsing incoming request bodies. The parseRequestBody function would accept and buffer the entire request body into memory regardless of size, creating a direct path to memory exhaustion. The Node adapter's standalone mode compounded this issue by not implementing HTTP-level body size restrictions.

Attack Vector

The attack vector is network-based and requires no authentication. An attacker can exploit this vulnerability by:

  1. Identifying a valid server action endpoint by inspecting HTML form attributes on any public-facing page
  2. Crafting an HTTP POST request with an extremely large body (JSON or FormData)
  3. Sending the request to the discovered action endpoint
  4. The server attempts to buffer the entire request body into memory
  5. Memory exhaustion occurs, crashing the server process
  6. In containerized environments, repeating the attack maintains the denial of service

The security patch introduces proper error handling for ActionError exceptions during request body parsing:

typescript
 			try {
 				input = await parseRequestBody(context.request);
 			} catch (e) {
+				if (e instanceof ActionError) {
+					return { data: undefined, error: e };
+				}
 				if (e instanceof TypeError) {
 					return { data: undefined, error: new ActionError({ code: 'UNSUPPORTED_MEDIA_TYPE' }) };
 				}

Source: GitHub Commit

Detection Methods for CVE-2026-27729

Indicators of Compromise

  • Unusually large POST requests targeting action endpoints (paths containing /_actions/ or form action attributes)
  • Repeated server process crashes followed by automatic restarts
  • Memory utilization spikes followed by out-of-memory errors in application logs
  • High frequency of requests from single IP addresses targeting action endpoints

Detection Strategies

  • Monitor for HTTP POST requests with abnormally large Content-Length headers targeting Astro action endpoints
  • Implement alerting on process crash and restart patterns in container orchestration logs
  • Track memory usage metrics and alert on sudden spikes correlating with incoming requests
  • Analyze web server access logs for requests with unusually large body sizes

Monitoring Recommendations

  • Configure application performance monitoring (APM) to track memory allocation patterns during request handling
  • Set up alerts for container restart frequency exceeding normal thresholds
  • Implement request body size logging at the load balancer or reverse proxy level
  • Monitor for repeated 5xx errors or connection resets that may indicate process crashes

How to Mitigate CVE-2026-27729

Immediate Actions Required

  • Upgrade @astrojs/node to version 9.5.4 or later immediately
  • If immediate upgrade is not possible, implement body size limits at the reverse proxy or load balancer level
  • Review and audit all server action endpoints for exposure
  • Consider temporarily disabling server actions if they are not critical to operations

Patch Information

The Astro team has released version 9.5.4 which contains the fix for this vulnerability. The patch introduces proper handling of ActionError exceptions during request body parsing, preventing memory exhaustion from oversized requests.

Update your Astro Node adapter by running:

bash
npm update @astrojs/node@9.5.4

For detailed information, refer to the GitHub Security Advisory and the release notes.

Workarounds

  • Configure a reverse proxy (nginx, Apache, Caddy) to enforce request body size limits before requests reach the Astro server
  • Implement rate limiting at the infrastructure level to limit the frequency of large POST requests
  • Use a Web Application Firewall (WAF) to filter requests with abnormally large body sizes
  • Deploy behind a CDN with built-in DDoS protection and body size limits
bash
# Nginx configuration example - limit request body size
location / {
    client_max_body_size 10m;
    proxy_pass http://astro_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne