CVE-2026-41322: Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed

April 23, 2026

Requesting a static JS/CSS resource from the _astro path with an incorrect or malformed if-match header returns a 500 error with a one-year cache lifetime instead of 412 in some cases. As a result, all subsequent requests to that file — regardless of the if-match header — will be served a 5xx error instead of the file until the cache expires.

Sending an incorrect or malformed if-match header should always return a 412 error without any cache headers, which is not the current behavior.

References

github.com/advisories/GHSA-c57f-mm3j-27q9
github.com/withastro/astro
github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9
nvd.nist.gov/vuln/detail/CVE-2026-41322

Code Behaviors & Features

Detect and mitigate CVE-2026-41322 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →