Memory Exhaustion Vulnerability in Astro Framework by Astro
CVE-2026-27729
What is CVE-2026-27729?
The Astro framework's server actions in versions 9.0.0 to 9.5.3 lack a default limit on the size of request bodies, leading to potential memory exhaustion. When a single large POST request is sent to a valid action endpoint, it can crash the server process, particularly in memory-constrained environments. Additionally, on-demand rendered sites built with Astro allow for server actions that automatically parse incoming JSON or FormData requests, thereby buffering the entire request body into memory without any size constraints. This scenario makes server deployments susceptible to denial of service attacks. Notably, in containerized environments, the crashed process is continuously restarted, leading to a persistent crash-restart loop with repeated oversized requests. The action names are discoverable from the HTML form attributes on public pages, eliminating the need for authentication. Version 9.5.4 has introduced a fix for this issue.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
astro >= 9.0.0, < 9.5.4