CVE-2026-29772: Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands
Astro’s Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected.
References
- github.com/advisories/GHSA-3rmj-9m5h-8fpv
- github.com/withastro/astro
- github.com/withastro/astro/commit/f9ee8685dd26e9afeba3b48d41ad6714f624b12f
- github.com/withastro/astro/releases/tag/@astrojs/node@10.0.0
- github.com/withastro/astro/security/advisories/GHSA-3rmj-9m5h-8fpv
- nvd.nist.gov/vuln/detail/CVE-2026-29772
Code Behaviors & Features
Detect and mitigate CVE-2026-29772 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →