Skip to main content

Astro EUVD-2026-14962

| CVE-2026-29772 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-24 GitHub_M GHSA-3rmj-9m5h-8fpv
Denial Of Service Astro
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 19:00 euvd
EUVD-2026-14962
Analysis Generated
Mar 24, 2026 - 19:00 vuln.today
CVE Published
Mar 24, 2026 - 18:38 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.

AnalysisAI

Astro web framework versions prior to 10.0.0 contain an unbounded JSON parsing vulnerability in the Server Islands POST handler that allows unauthenticated remote attackers to exhaust server memory and cause denial of service. The vulnerability affects all Astro SSR applications using the Node standalone adapter, regardless of whether Server Islands functionality is actually used, because the request body is parsed before route validation occurs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS 5.9 score (Medium severity) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H reflects a network-accessible vulnerability requiring no authentication but with High attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a POST request to any Astro SSR application at the /_server-islands/malicious endpoint with a crafted JSON payload containing thousands of small objects or deeply nested structures. The Astro handler immediately begins parsing the entire body without size validation, causing the V8 engine to allocate heap memory at approximately 15 times the wire payload size. …
Remediation Upgrade Astro to version 10.0.0 or later immediately, as the patch is already available and fully resolves the vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-14962 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy