CVE-2026-41322 @astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed

@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all...

CVE-2026-41322

CVE-2026-41322 affects @astrojs/node used with Astro. Prior to 10.0.5, when a malformed/incorrect If-Match header triggers a precondition failure for static files under /_astro/, the underlying stream emits an error after emitting a file event and the server responds with 500 Internal Server Erro...

CVE-2026-41322 @astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed

@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all...

Use of Web Browser Cache Containing Sensitive Information

Overview @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information via the serve-static.ts component. An attacker can cause legitimate users to receive persistent error responses for static...

@chocolatey-software/astro (=2.7.0), astro-service-worker (=0.0.1) potentially affected by CVE-2026-41322 via @astrojs/node (>=0.1.6 <=10.0.4)

@astrojs/node NPM version =0.1.6, =10.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on @astrojs/node and may be impacted: - @chocolatey-software/astro =2.7.0 - astro-service-worker =0.0.1 Source cves: CVE-2026-41322 Source advisory:...

Allocation of Resources Without Limits or Throttling

Overview @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /server-islands/name route handler, which buffers and parses the entire request body as JSON without enforcing a size...

astro-service-worker (=0.0.1) potentially affected by CVE-2026-29772 via @astrojs/node (=0.1.6)

@astrojs/node NPM version =0.1.6 is affected by a known vulnerability. The following packages have a transitive dependency on @astrojs/node and may be impacted: - astro-service-worker =0.0.1 Source cves: CVE-2026-29772 Source advisory: OSV:GHSA-3RMJ-9M5H-8FPV...

@chocolatey-software/astro (>=2.0.0 <=2.5.0), choco-astro (>=0.3.1 <=0.4.0) potentially affected by CVE-2026-27829 via @astrojs/node (>=9.2.2 <=9.5.2)

@astrojs/node NPM version =9.2.2, =2.0.0, =0.3.1, =0.4.0 Source cves: CVE-2026-27829 Source advisory: OSV:GHSA-CJ9F-H6R6-4CX2...

@ayco/astro-resume (>=0.3.0 <=0.3.2), @ayco/cozy (>=0.2.5 <=0.3.1) +34 more potentially affected by CVE-2026-25545 via @astrojs/node (>=0.1.6 <=9.5.2)

@astrojs/node NPM version =0.1.6, =0.3.0, =0.2.5, =1.0.0, =2.0.0, =0.1.3, =0.40.5, =0.0.51, =0.0.51, =3.23.0, =0.0.1, =2.0.0, =0.2.1, =0.2.7 and more Source cves: CVE-2026-25545 Source advisory: OSV:GHSA-QQ67-MVV5-FW3G...

Relative Path Traversal

Overview @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Relative Path Traversal via the href parameter in the image optimization endpoint during development mode. An attacker can access arbitrary local image files readable by the Node.j...

choco-astro (>=0.3.1 <=0.4.0) potentially affected by CVE-2025-64757 via @astrojs/node (>=9.2.2 <=9.3.0)

@astrojs/node NPM version =9.2.2, =0.3.1, =0.4.0 Source cves: CVE-2025-64757 Source advisory: SNYK:JS-ASTROJSNODE-14059141...

choco-astro (>=0.3.1 <=0.4.0) potentially affected by CVE-2025-61925 via @astrojs/node (>=9.2.2 <=9.3.0)

@astrojs/node NPM version =9.2.2, =0.3.1, =0.4.0 Source cves: CVE-2025-61925 Source advisory: SNYK:JS-ASTROJSNODE-13535086...

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the X-Forwarded-Host header when using the Astro.url property without validation. An attacker c...

Open Redirection

@astrojs/node is vulnerable to Open Redirection. The vulnerability is due to incorrect handling of double slashes with the Node deployment adapter in standalone mode and trailingSlash set to "always," allowing attackers to redirect users to malicious domains...

Open Redirect

Overview @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Open Redirect via the trailingSlash configuration in standalone mode with the Node deployment adapter. An attacker can redirect users to external sites by crafting URLs with double...

choco-astro (>=0.3.1 <=0.4.0) potentially affected by CVE-2025-55207 via @astrojs/node (>=9.2.2 <=9.3.0)

@astrojs/node NPM version =9.2.2, =0.3.1, =0.4.0 Source cves: CVE-2025-55207 Source advisory: SNYK:JS-ASTROJSNODE-11951436...