DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27729: Astro-nomical Crash: The Unbounded Body Problem in Server Actions

#security #cve #cybersecurity

Astro-nomical Crash: The Unbounded Body Problem in Server Actions

Vulnerability ID: CVE-2026-27729
CVSS Score: 5.9
Published: 2026-02-25

A fundamental oversight in how the Astro web framework handles Server Actions created a trivial Denial of Service vector. By failing to enforce a maximum request body size, Astro allowed unauthenticated attackers to feed unlimited data into the Node.js runtime, triggering a heap allocation failure and crashing the application process. This vulnerability specifically affects the astro and @astrojs/node packages in standalone mode.

TL;DR

Astro versions 9.0.0 to 9.5.3 accept unlimited request body sizes for Server Actions. An attacker can send a large payload (e.g., 500MB) to any action endpoint, causing the Node.js process to run out of memory (OOM) and crash. This leads to persistent downtime, especially in containerized environments where the service enters a crash-restart loop.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • CWE Name: Allocation of Resources Without Limits or Throttling
  • Attack Vector: Network
  • CVSS Score: 5.9 (Medium)
  • Impact: Denial of Service (DoS)
  • EPSS Score: 0.0007

Affected Systems

  • Astro Framework (Core)
  • @astrojs/node Adapter
  • Node.js Runtime
  • astro: >= 9.0.0, < 9.5.4 (Fixed in: 9.5.4)
  • @astrojs/node: >= 9.0.0, < 9.5.4 (Fixed in: 9.5.4)

Code Analysis

Commit: 522f880

fix(actions): limit request body size to 1mb

async function readRequestBodyWithLimit(request: Request, limit: number) { ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade to Astro v9.5.4 or later.
  • Implement a reverse proxy (Nginx/HAProxy) with client_max_body_size limits.
  • Deploy a WAF rule to block oversized POST requests to /_actions/* endpoints.

Remediation Steps:

  1. Run npm outdated to identify the vulnerable astro and @astrojs/node packages.
  2. Update packages: npm update astro @astrojs/node.
  3. Verify the version in package.json is >= 9.5.4.
  4. Restart the application service.

References

Read the full report for CVE-2026-27729 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)