CVE-2026-41322

Name of the Vulnerable Software and Affected Versions @astrojs/node versions prior to 10.0.5 astro version 5.14.1

Description Requesting static JS or CSS resources from the ' astro' path with an incorrect or malformed if-match header can result in a 500 error instead of the expected 412 error. In some cases, this response includes a cache lifetime of one year. Consequently, all subsequent requests for that file, regardless of the if-match header, will be served a 5xx error until the cache expires, leading to cache poisoning where assets become unavailable to legitimate users.

Recommendations Update @astrojs/node to version 10.0.5 or later. At the moment, there is no information about a newer version that contains a fix for this vulnerability for astro version 5.14.1.