CVE-2026-27729: Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments.
References
- github.com/advisories/GHSA-jm64-8m5q-4qh8
- github.com/withastro/astro
- github.com/withastro/astro/commit/522f880b07a4ea7d69a19b5507fb53a5ed6c87f8
- github.com/withastro/astro/pull/15564
- github.com/withastro/astro/releases/tag/@astrojs/node@9.5.4
- github.com/withastro/astro/security/advisories/GHSA-jm64-8m5q-4qh8
- nvd.nist.gov/vuln/detail/CVE-2026-27729
Code Behaviors & Features
Detect and mitigate CVE-2026-27729 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →