CVE-2026-29772
Published: 24 March 2026
Summary
CVE-2026-29772 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Astro \@Astrojs\/Node. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly protects against denial-of-service events including memory exhaustion from unbounded JSON request body parsing.
Enforces restrictions on the quantity of input information, such as maximum request body size, to prevent heap amplification from crafted JSON payloads.
Implements resource allocation quotas and protections to ensure availability and limit heap exhaustion by individual unauthenticated requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables direct exploitation of an application-layer resource exhaustion flaw (unbounded JSON body parsing) to crash the server process, matching T1499.004 Application or System Exploitation.
NVD Description
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the…
more
input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.
Deeper analysisAI
CVE-2026-29772 is a denial-of-service vulnerability in the Astro web framework, affecting versions prior to 10.0.0. The issue resides in Astro's Server Islands POST handler, which buffers and parses the full request body as JSON without enforcing a size limit. This allows a crafted payload consisting of many small JSON objects to trigger significant memory amplification—approximately 15x from wire bytes to heap bytes—due to V8 heap object allocation during JSON.parse(). The vulnerability impacts all Astro SSR applications using the Node standalone adapter, as the /_server-islands/[name] route is registered by default and the body is parsed before validating the island name, regardless of whether server:defer components are used.
An unauthenticated remote attacker can exploit this vulnerability by sending a single crafted POST request to the affected route. The attack requires high complexity (CVSS Attack Complexity: High) to construct the payload effectively, but achieves process heap exhaustion, resulting in server crashes and denial of service (CVSS Base Score: 5.9; AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). No privileges, user interaction, or scope change are needed, making it feasible against internet-exposed Astro SSR apps.
The vulnerability, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), has been addressed in Astro version 10.0.0. Security practitioners should upgrade to this version or later. Additional details are available in the official advisory at https://github.com/withastro/astro/security/advisories/GHSA-3rmj-9m5h-8fpv.
Details
- CWE(s)