CVE-2026-29772: CVE-2026-29772: Unauthenticated Denial of Service via Resource Exhaustion in Astro Server Islands

CVE-2026-29772: Unauthenticated Denial of Service via Resource Exhaustion in Astro Server Islands

Vulnerability ID: CVE-2026-29772
CVSS Score: 5.9
Published: 2026-03-24

A critical resource exhaustion vulnerability exists in the Astro web framework versions prior to 10.0.0. The Server Islands endpoint fails to enforce size limits on incoming POST request bodies, allowing an unauthenticated attacker to cause a Denial of Service (DoS) by sending a crafted JSON payload that triggers massive V8 heap memory allocation.

TL;DR

Unbounded JSON parsing in the Astro Server Islands endpoint allows unauthenticated attackers to exhaust Node.js heap memory, resulting in a remote Denial of Service condition.

---

⚠️ Exploit Status: POC

Technical Details

• CWE: CWE-770
• Attack Vector: Network
• CVSS: 5.9 (Medium)
• Impact: High (Denial of Service)
• Exploit Status: Proof of Concept

Affected Systems

• Astro Server-Side Rendering (SSR) applications
• @astrojs/node standalone adapter
• Astro: < 10.0.0 (Fixed in: 10.0.0)

Code Analysis

Commit: f9ee868

Fix: Introduce body size limit for Server Islands endpoint

Mitigation Strategies

• Implement WAF rules limiting POST request sizes to /_server-islands/.*
• Configure security.serverIslandBodySizeLimit in astro.config.mjs
• Monitor Node.js process restarts and OOM errors

Remediation Steps:

1. Upgrade astro to version 10.0.0 or later
2. Upgrade @astrojs/node adapter to version 10.0.0 or later
3. Verify the application functions correctly with the new 1MB default body size limit
4. Deploy updated dependencies to the production environment

References

• NVD - CVE-2026-29772
• GitHub Security Advisory GHSA-3rmj-9m5h-8fpv

---

Read the full report for CVE-2026-29772 on our website for more details including interactive diagrams and full exploit analysis.