Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
- Severity:
- Medium
Description
Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments.
Recommendation
Update the @astrojs/node package to the latest compatible version. Followings are version details:
- Affected version(s): >= 9.0.0, < 9.5.4
- Patched version(s): 9.5.4
References
Related Issues
- Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands - CVE-2026-29772
- Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize - CVE-2026-27829
- Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
- devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse - CVE-2026-22775
- Tags:
- npm
- @astrojs/node
Anything's wrong? Let us know Last updated on February 25, 2026