CVE-2026-27729
Published: 24 February 2026
Summary
CVE-2026-27729 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Astro \@Astrojs\/Node. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27729 affects the Astro web framework in versions 9.0.0 through 9.5.3, specifically server actions in on-demand rendered sites using the Node adapter in standalone mode. The vulnerability stems from a lack of default request body size limits when parsing incoming JSON or FormData bodies, which are fully buffered into memory. This enables memory exhaustion denial-of-service (DoS) attacks, as a single oversized POST request to a valid server action endpoint can exhaust the process heap and crash the server, particularly on memory-constrained deployments.
Unauthenticated remote attackers can exploit this by discovering action names from HTML form attributes on public pages and sending oversized POST requests to those endpoints. A single request crashes the server process, while repeated requests in containerized environments trigger a persistent crash-restart loop, rendering the service unavailable. The CVSS v3.1 base score is 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting network accessibility with high attack complexity but no privileges required and high availability impact.
Mitigation is available in Astro version 9.5.4, which introduces a fix for the missing body size limit. Relevant advisories and resources include the GitHub security advisory (GHSA-jm64-8m5q-4qh8), the fixing commit (522f880b07a4ea7d69a19b5507fb53a5ed6c87f8), pull request #15564, and the release notes for @astrojs/node@9.5.4. Security practitioners should upgrade SSR standalone deployments to the patched version and review public forms for exposed action endpoints.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7451
Vulnerability details
Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server…
more
process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The lack of request body size limits enables direct exploitation of the public-facing Astro/Node SSR application to exhaust memory and crash the process (single oversized POST or repeated requests for persistent effect), matching Application or System Exploitation under Endpoint Denial of Service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection against resource-exhaustion DoS attacks such as oversized request bodies that crash the server process.
Mandates validation of input size and format, which would have blocked the unbounded JSON/FormData buffering that enables the memory exhaustion.
Requires management of system resource allocation so that a single unauthenticated request cannot exhaust heap memory and trigger a crash-restart loop.