VulnerableCode Package Details - pkg:npm/%40astrojs/node@9.5.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-6u1w-y61g-kyeq Aliases: CVE-2026-41322 GHSA-c57f-mm3j-27q9	@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5.	10.0.5 Affected by 0 other vulnerabilities.
VCID-axny-tuav-wyc9 Aliases: CVE-2026-29772 GHSA-3rmj-9m5h-8fpv	Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.	10.0.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6u1w-y61g-kyeq
Aliases:
CVE-2026-41322
GHSA-c57f-mm3j-27q9

@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5.

10.0.5
Affected by 0 other vulnerabilities.

VCID-axny-tuav-wyc9
Aliases:
CVE-2026-29772
GHSA-3rmj-9m5h-8fpv

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.

10.0.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:12:41.143752+00:00	GitLab Importer	Affected by	VCID-6u1w-y61g-kyeq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@astrojs/node/CVE-2026-41322.yml	38.6.0
2026-06-12T21:35:52.467053+00:00	GitLab Importer	Affected by	VCID-axny-tuav-wyc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@astrojs/node/CVE-2026-29772.yml	38.6.0

2026-06-12T22:12:41.143752+00:00

GitLab Importer

Affected by

VCID-6u1w-y61g-kyeq

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@astrojs/node/CVE-2026-41322.yml

38.6.0

2026-06-12T21:35:52.467053+00:00

GitLab Importer

Affected by

VCID-axny-tuav-wyc9

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@astrojs/node/CVE-2026-29772.yml

38.6.0

Next non-vulnerable version	10.0.5
Latest non-vulnerable version	10.0.5
Risk	3.1