漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands
Vulnerability Description
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched in version 10.0.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
Astro 安全漏洞
Vulnerability Description
Astro是Astro开源的一个内容驱动网站的 web 框架。 Astro 10.0.0之前版本存在安全漏洞,该漏洞源于Server Islands POST处理程序无限制地缓冲和解析完整请求体为JSON,可能导致内存耗尽和服务器崩溃。
CVSS Information
N/A
Vulnerability Type
N/A