Cyber Resilience

CVE-2026-27729

MediumPublic PoCDDoS

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0016 37.1th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27729 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Astro \@Astrojs\/Node. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27729 affects the Astro web framework in versions 9.0.0 through 9.5.3, specifically server actions in on-demand rendered sites using the Node adapter in standalone mode. The vulnerability stems from a lack of default request body size limits when parsing incoming JSON or FormData bodies, which are fully buffered into memory. This enables memory exhaustion denial-of-service (DoS) attacks, as a single oversized POST request to a valid server action endpoint can exhaust the process heap and crash the server, particularly on memory-constrained deployments.

Unauthenticated remote attackers can exploit this by discovering action names from HTML form attributes on public pages and sending oversized POST requests to those endpoints. A single request crashes the server process, while repeated requests in containerized environments trigger a persistent crash-restart loop, rendering the service unavailable. The CVSS v3.1 base score is 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting network accessibility with high attack complexity but no privileges required and high availability impact.

Mitigation is available in Astro version 9.5.4, which introduces a fix for the missing body size limit. Relevant advisories and resources include the GitHub security advisory (GHSA-jm64-8m5q-4qh8), the fixing commit (522f880b07a4ea7d69a19b5507fb53a5ed6c87f8), pull request #15564, and the release notes for @astrojs/node@9.5.4. Security practitioners should upgrade SSR standalone deployments to the patched version and review public forms for exposed action endpoints.

EU & UK References

Vulnerability details

Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server…

more

process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The lack of request body size limits enables direct exploitation of the public-facing Astro/Node SSR application to exhaust memory and crash the process (single oversized POST or repeated requests for persistent effect), matching Application or System Exploitation under Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29772Same product: Astro \@Astrojs\/Node
CVE-2026-25545Same product: Astro \@Astrojs\/Node
CVE-2026-27829Same product: Astro \@Astrojs\/Node
CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770

Affected Assets

astro
\@astrojs\/node
9.0.0 — 9.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection against resource-exhaustion DoS attacks such as oversized request bodies that crash the server process.

prevent

Mandates validation of input size and format, which would have blocked the unbounded JSON/FormData buffering that enables the memory exhaustion.

prevent

Requires management of system resource allocation so that a single unauthenticated request cannot exhaust heap memory and trigger a crash-restart loop.

References