Astro Web Framework Request Body Size Limit Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Astro web framework, specifically in versions 9.0.0 prior to 9.5.4. The issue arises because Astro server actions do not have a default limit on request body size, allowing large POST requests to exhaust server memory. This can cause the server process to crash, particularly in memory-constrained environments. The vulnerability is present in on-demand rendered sites using Astro's Node adapter in standalone mode, where the HTTP server lacks body size protection. Action names can be accessed from public HTML forms, meaning no authentication is needed to exploit this issue.

Impact

Exploitation of this vulnerability leads to memory exhaustion, causing the server process to crash. In containerized environments, the crash triggers an automatic restart, creating a continuous loop of crashes and restarts.

Reproduction

To reproduce this vulnerability, send a large POST request to a valid Astro server action endpoint. The request can be made with either JSON or FormData. Ensure that the action is accessible without authentication. In a memory-constrained environment, the server process will crash, and if running in a container, it will enter a crash-restart loop.

Remediation

Users can update to Astro version 9.5.4 or later, where this vulnerability has been fixed.