Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed

Severity:: Medium

Description

Requesting a static JS/CSS resource from the _astro path with an incorrect or malformed if-match header returns a 500 error with a one-year cache lifetime instead of 412 in some cases.

Recommendation

Update the @astrojs/node package to the latest compatible version. Followings are version details:

Affected version(s): < 10.0.5
Patched version(s): 10.0.5

References

GHSA-c57f-mm3j-27q9
CVE-2026-41322
CWE-525
CAPEC-310
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Astro has Full-Read SSRF in error rendering via Host: header injection - CVE-2026-25545
Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands - CVE-2026-29772
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize - CVE-2026-27829
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions - CVE-2026-27729

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @astrojs/node

Anything's wrong? Let us know Last updated on April 27, 2026