Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands
- Severity:
- Medium
Description
Astro’s Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected.
Recommendation
Update the @astrojs/node package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.0.0
- Patched version(s): 10.0.0
References
Related Issues
- Astro has memory exhaustion DoS due to missing request body size limit in Server Actions - CVE-2026-27729
- Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize - CVE-2026-27829
- Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
- devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse - CVE-2026-22775
- Tags:
- npm
- @astrojs/node
Anything's wrong? Let us know Last updated on March 24, 2026