CVE-2026-27729

Name of the Vulnerable Software and Affected Versions Astro versions 9.0.0 through 9.5.3

Description Astro server actions lack a default request body size limit, potentially leading to a denial of service (DoS) due to memory exhaustion. A large POST request to a valid action endpoint can crash the server process, particularly on deployments with limited memory. The vulnerability occurs because Astro automatically parses incoming request bodies (JSON or FormData) into memory without any size restrictions. This allows an attacker to send an oversized request, exhausting the process heap and causing the server to crash. In containerized environments, this can result in a persistent crash-restart loop. The vulnerability is exploitable without authentication, as action names are discoverable from HTML form attributes on public pages.

Recommendations Update to Astro version 9.5.4 or later.