VulnerableCode Package Details - pkg:npm/%40astrojs/node@9.5.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-6u1w-y61g-kyeq Aliases: CVE-2026-41322 GHSA-c57f-mm3j-27q9	@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5.	10.0.5 Affected by 0 other vulnerabilities.
VCID-axny-tuav-wyc9 Aliases: CVE-2026-29772 GHSA-3rmj-9m5h-8fpv	Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.	10.0.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-b172-yv6a-ykex Aliases: CVE-2026-25545 GHSA-qq67-mvv5-fw3g	Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker's server, it will be fetched on `/500.html` and they can redirect this to any internal URL to read the response body through the first request. An attacker who can access the application without `Host:` header validation (eg. through finding the origin IP behind a proxy, or just by default) can fetch their own server to redirect to any internal IP. With this they can fetch cloud metadata IPs and interact with services in the internal network or localhost. For this to be vulnerable, a common feature needs to be used, with direct access to the server (no proxies). Version 9.5.4 fixes the issue.	9.5.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-mhqt-ksxk-pfb1 Aliases: CVE-2026-27729 GHSA-jm64-8m5q-4qh8	Astro has memory exhaustion DoS due to missing request body size limit in Server Actions	9.5.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yjks-6cdr-qfd8 Aliases: CVE-2026-27829 GHSA-cj9f-h6r6-4cx2	Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize	9.5.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6u1w-y61g-kyeq
Aliases:
CVE-2026-41322
GHSA-c57f-mm3j-27q9

@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5.

10.0.5
Affected by 0 other vulnerabilities.

VCID-axny-tuav-wyc9
Aliases:
CVE-2026-29772
GHSA-3rmj-9m5h-8fpv

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.

10.0.0
Affected by 1 other vulnerability.

VCID-b172-yv6a-ykex
Aliases:
CVE-2026-25545
GHSA-qq67-mvv5-fw3g

Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker's server, it will be fetched on `/500.html` and they can redirect this to any internal URL to read the response body through the first request. An attacker who can access the application without `Host:` header validation (eg. through finding the origin IP behind a proxy, or just by default) can fetch their own server to redirect to any internal IP. With this they can fetch cloud metadata IPs and interact with services in the internal network or localhost. For this to be vulnerable, a common feature needs to be used, with direct access to the server (no proxies). Version 9.5.4 fixes the issue.

9.5.4
Affected by 2 other vulnerabilities.

VCID-mhqt-ksxk-pfb1
Aliases:
CVE-2026-27729
GHSA-jm64-8m5q-4qh8

Astro has memory exhaustion DoS due to missing request body size limit in Server Actions

9.5.4
Affected by 2 other vulnerabilities.

VCID-yjks-6cdr-qfd8
Aliases:
CVE-2026-27829
GHSA-cj9f-h6r6-4cx2

Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize

9.5.4
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:12:41.127343+00:00	GitLab Importer	Affected by	VCID-6u1w-y61g-kyeq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@astrojs/node/CVE-2026-41322.yml	38.6.0
2026-06-12T21:35:52.450300+00:00	GitLab Importer	Affected by	VCID-axny-tuav-wyc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@astrojs/node/CVE-2026-29772.yml	38.6.0
2026-06-12T21:07:40.488643+00:00	GitLab Importer	Affected by	VCID-yjks-6cdr-qfd8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@astrojs/node/CVE-2026-27829.yml	38.6.0
2026-06-12T21:07:24.566497+00:00	GitLab Importer	Affected by	VCID-mhqt-ksxk-pfb1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@astrojs/node/CVE-2026-27729.yml	38.6.0
2026-06-12T21:02:18.035785+00:00	GitLab Importer	Affected by	VCID-b172-yv6a-ykex	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@astrojs/node/CVE-2026-25545.yml	38.6.0