CVE-2026-29772

Name of the Vulnerable Software and Affected Versions Astro versions prior to 10.0.0

Description Astro's Server Islands POST handler does not enforce a size limit when buffering and parsing JSON request bodies. The JSON.parse() function allocates a V8 heap object for each element in the input, leading to approximately 15 times memory amplification. A crafted payload containing numerous small JSON objects can exhaust the process heap, causing the server to crash. The vulnerable code path is located in the / server-islands/[name] route, which is automatically registered for all Astro SSR applications using the Node standalone adapter, regardless of whether server-side rendering with defer is utilized. The request body is parsed before the island name is validated, meaning any value can be used in the [name] parameter. No authentication is required to exploit this issue.

Recommendations Update to Astro version 10.0.0 or later.