CVE-2026-29772
Received Received - Intake
Heap Exhaustion via JSON Parsing in Astro Server Islands POST Handler

Publication date: 2026-03-24

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-25
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29772
EUVD
EUVD-2026-14962
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
astro @astrojs/node From 9.0.0 (inc) to 10.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability is patched in Astro version 10.0.0. Immediate mitigation involves upgrading Astro to version 10.0.0 or later.

Since the vulnerability allows unauthenticated requests to crash the server via the /_server-islands/[name] route, consider restricting access to this route or implementing network-level protections to limit potentially malicious POST requests until the upgrade can be applied.


Can you explain this vulnerability to me?

This vulnerability exists in the Astro web framework prior to version 10.0.0. The issue is in the Server Islands POST handler, which buffers and parses the entire request body as JSON without any size limit. Because JSON.parse() creates a V8 heap object for every element in the input, an attacker can send a specially crafted payload containing many small JSON objects. This results in approximately 15 times memory amplification from the wire bytes to heap bytes, allowing a single unauthenticated request to exhaust the server's process heap and cause it to crash.

The vulnerable route is /_server-islands/[name], which is registered on all Astro SSR apps using the Node standalone adapter, regardless of whether any component uses server:defer. The body is parsed before validating the island name, making all such apps affected. This vulnerability was fixed in Astro version 10.0.0.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an unauthenticated attacker to send a maliciously crafted POST request that consumes excessive memory on the server. This memory exhaustion can cause the server process to crash, leading to denial of service (DoS). As a result, your Astro SSR application may become unavailable or unstable until the server is restarted or the issue is mitigated.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart