SCA: security update for @astrojs/node (GHSA-jm64-8m5q-4qh8)

high Tenable Self-Hosted Container Security Plugin ID 438034

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request
body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint
can crash the server process on memory-constrained deployments. On-demand rendered sites built with Astro
can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body
is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust
the process heap and crash the server. Astro's Node adapter (`mode: 'standalone'`) creates an HTTP server
with no body size protection. In containerized environments, the crashed process is automatically
restarted, and repeated requests cause a persistent crash-restart loop. Action names are discoverable from
HTML form attributes on any public page, so no authentication is required. The vulnerability allows
unauthenticated denial of service against SSR standalone deployments using server actions. A single
oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop
in containerized environments. Version 9.5.4 contains a fix. (CVE-2026-27729)

See Also

https://github.com/advisories/GHSA-jm64-8m5q-4qh8

Plugin Details

Severity: High

ID: 438034

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 3/2/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-27729

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/25/2026

Vulnerability Publication Date: 2/24/2026

Reference Information

CVE: CVE-2026-27729

cwe: CWE-770