CVE-2026-29772

MEDIUM 5.9

Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.

CWE	CWE-770
Vendor	withastro
Product	astro
Published	Mar 24, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for withastro astro

Be the first to know when new medium vulnerabilities affecting withastro astro are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

withastro / astro

< 10.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/withastro/astro/security/advisories/GHSA-3rmj-9m5h-8fpv