npm package
@astrojs/node
pkg:npm/%40astrojs/node
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41322 | Med | 5.3 | < 10.0.5 | 10.0.5 | Apr 24, 2026 | @astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the eff | |
| CVE-2026-29772 | — | < 10.0.0 | 10.0.0 | Mar 24, 2026 | Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small | ||
| CVE-2026-27829 | — | >= 9.0.0, < 9.5.4 | 9.5.4 | Feb 26, 2026 | Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetche | ||
| CVE-2026-27729 | — | >= 9.0.0, < 9.5.4 | 9.5.4 | Feb 24, 2026 | Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-dema | ||
| CVE-2026-25545 | — | < 9.5.4 | 9.5.4 | Feb 24, 2026 | Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker's server, it will be fetched on `/500.ht | ||
| CVE-2025-55303 | — | < 9.1.1 | 9.1.1 | Aug 19, 2025 | Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built wit | ||
| CVE-2025-55207 | Med | — | < 9.4.1 | 9.4.1 | Aug 15, 2025 | Astro is a web framework for content-driven websites. Following CVE-2025-54793 there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios prior to version 9.4.1. Astro 5.12.8 addressed CVE-2025-54793 where https://example.com//astro.build/press would r |
- affected < 10.0.5fixed 10.0.5
@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the eff
- CVE-2026-29772Mar 24, 2026affected < 10.0.0fixed 10.0.0
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small
- CVE-2026-27829Feb 26, 2026affected >= 9.0.0, < 9.5.4fixed 9.5.4
Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetche
- CVE-2026-27729Feb 24, 2026affected >= 9.0.0, < 9.5.4fixed 9.5.4
Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-dema
- CVE-2026-25545Feb 24, 2026affected < 9.5.4fixed 9.5.4
Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker's server, it will be fetched on `/500.ht
- CVE-2025-55303Aug 19, 2025affected < 9.1.1fixed 9.1.1
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built wit
- affected < 9.4.1fixed 9.4.1
Astro is a web framework for content-driven websites. Following CVE-2025-54793 there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios prior to version 9.4.1. Astro 5.12.8 addressed CVE-2025-54793 where https://example.com//astro.build/press would r