Server Memory Exhaustion Vulnerability in Astro Web Framework
CVE-2026-29772

5.9MEDIUM

Key Information:

Vendor: Withastro
Status: Astro
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-29772?

Astro, a web framework, has a vulnerability in its Server Islands POST handler that can lead to server memory exhaustion. The issue arises from the framework's handling of full request body parsing as JSON, without enforcing a size limit. This allows a malicious actor to craft a payload comprising many small JSON objects, resulting in significant memory amplification—approximately 15 times the allocation of memory. Consequently, an unauthenticated request could monopolize the process heap, potentially crashing the server. This vulnerability impacts all Astro SSR applications using the Node standalone adapter, with the POST request being processed before validating the island name. A patch is available in version 10.0.0.

Affected Version(s)

astro < 10.0.0

References

https://github.com/withastro/astro/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29772 Data

JSON

Withastro

What is CVE-2026-29772?

Affected Version(s)

References

CVSS V3.1

Timeline