CVE-2026-27729
Published: 24 February 2026
Summary
CVE-2026-27729 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Astro \@Astrojs\/Node. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The lack of request body size limits enables direct exploitation of the public-facing Astro/Node SSR application to exhaust memory and crash the process (single oversized POST or repeated requests for persistent effect), matching Application or System Exploitation under Endpoint Denial of Service.
NVD Description
Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server…
more
process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from HTML form attributes on any public page, so no authentication is required. The vulnerability allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments. Version 9.5.4 contains a fix.
Deeper analysisAI
CVE-2026-27729 affects the Astro web framework in versions 9.0.0 through 9.5.3, specifically server actions in on-demand rendered sites using the Node adapter in standalone mode. The vulnerability stems from a lack of default request body size limits when parsing incoming JSON or FormData bodies, which are fully buffered into memory. This enables memory exhaustion denial-of-service (DoS) attacks, as a single oversized POST request to a valid server action endpoint can exhaust the process heap and crash the server, particularly on memory-constrained deployments.
Unauthenticated remote attackers can exploit this by discovering action names from HTML form attributes on public pages and sending oversized POST requests to those endpoints. A single request crashes the server process, while repeated requests in containerized environments trigger a persistent crash-restart loop, rendering the service unavailable. The CVSS v3.1 base score is 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting network accessibility with high attack complexity but no privileges required and high availability impact.
Mitigation is available in Astro version 9.5.4, which introduces a fix for the missing body size limit. Relevant advisories and resources include the GitHub security advisory (GHSA-jm64-8m5q-4qh8), the fixing commit (522f880b07a4ea7d69a19b5507fb53a5ed6c87f8), pull request #15564, and the release notes for @astrojs/node@9.5.4. Security practitioners should upgrade SSR standalone deployments to the patched version and review public forms for exposed action endpoints.
Details
- CWE(s)