SpirityCVE

Vendors	Products
Astro	\@astrojs\/node
Withastro	Astro

Link	Providers
https://www.spirityenterprise.com/managed-detection-response
https://www.spirityenterprise.com/mdr-for-endpoint
https://github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8
https://github.com/withastro/astro/pull/15564
https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4
https://github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8

Type	Values Removed	Values Added
First Time appeared		Astro Astro \@astrojs\/node
CPEs		cpe:2.3:a:astro:\@astrojs\/node::::::node.js::*
Vendors & Products		Astro Astro \@astrojs\/node

Type	Values Removed	Values Added
First Time appeared		Withastro Withastro astro
Vendors & Products		Withastro Withastro astro

Type	Values Removed	Values Added
Description		Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix.
Title		Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
Weaknesses		CWE-770
References		https://github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8 https://github.com/withastro/astro/pull/15564 https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4 https://github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27729", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T18:37:14.789Z", "datePublished": "2026-02-24T00:46:15.945Z", "dateUpdated": "2026-02-24T00:46:15.945Z"}, "containers": {"cna": {"title": "Astro has memory exhaustion DoS due to missing request body size limit in Server Actions", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8"}, {"name": "https://github.com/withastro/astro/pull/15564", "tags": ["x_refsource_MISC"], "url": "https://github.com/withastro/astro/pull/15564"}, {"name": "https://github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8", "tags": ["x_refsource_MISC"], "url": "https://github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8"}, {"name": "https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4"}], "affected": [{"vendor": "withastro", "product": "astro", "versions": [{"version": ">= 9.0.0, < 9.5.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T00:46:15.945Z"}, "descriptions": [{"lang": "en", "value": "Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit \u2014 a single oversized request is sufficient to exhaust the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix."}], "source": {"advisory": "GHSA-jm64-8m5q-4qh8", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:astro:\\@astrojs\\/node:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4544AFCE-A719-4079-859C-E356B5871A4C", "versionEndExcluding": "9.5.4", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit \u2014 a single oversized request is sufficient to exhaust the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix."}, {"lang": "es", "value": "Astro es un framework web. En las versiones 9.0.0 a 9.5.3, las acciones del servidor de Astro no tienen un l\u00edmite de tama\u00f1o de cuerpo de solicitud predeterminado, lo que puede llevar a una DoS por agotamiento de memoria. Una \u00fanica solicitud POST grande a un endpoint de acci\u00f3n v\u00e1lido puede colapsar el proceso del servidor en despliegues con restricciones de memoria. Los sitios renderizados bajo demanda construidos con Astro pueden definir acciones de servidor, que analizan autom\u00e1ticamente los cuerpos de las solicitudes entrantes (JSON o FormData). El cuerpo se almacena completamente en la memoria sin l\u00edmite de tama\u00f1o \u2014 una \u00fanica solicitud sobredimensionada es suficiente para agotar el heap del proceso y colapsar el servidor. El adaptador de Node de Astro ('mode: 'standalone'') crea un servidor HTTP sin protecci\u00f3n de tama\u00f1o de cuerpo. En entornos contenerizados, el proceso colapsado se reinicia autom\u00e1ticamente, y las solicitudes repetidas causan un bucle persistente de colapso-reinicio. Los nombres de las acciones son detectables a partir de los atributos de los formularios HTML en cualquier p\u00e1gina p\u00fablica, por lo que no se requiere autenticaci\u00f3n. La vulnerabilidad permite la denegaci\u00f3n de servicio no autenticada contra despliegues SSR standalone que utilizan acciones de servidor. Una \u00fanica solicitud sobredimensionada colapsa el proceso del servidor, y las solicitudes repetidas causan un bucle persistente de colapso-reinicio en entornos contenerizados. La versi\u00f3n 9.5.4 contiene una soluci\u00f3n."}], "id": "CVE-2026-27729", "lastModified": "2026-02-25T15:19:42.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-24T01:16:15.700", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/withastro/astro/pull/15564"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object