{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41322", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T14:01:46.671Z", "datePublished": "2026-04-24T17:08:13.080Z", "dateUpdated": "2026-04-25T01:48:27.606Z"}, "containers": {"cna": {"title": "@astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed", "problemTypes": [{"descriptions": [{"cweId": "CWE-525", "lang": "en", "description": "CWE-525: Use of Web Browser Cache Containing Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9"}], "affected": [{"vendor": "withastro", "product": "astro", "versions": [{"version": "< 10.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T17:08:13.080Z"}, "descriptions": [{"lang": "en", "value": "@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5."}], "source": {"advisory": "GHSA-c57f-mm3j-27q9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-25T01:48:09.909604Z", "id": "CVE-2026-41322", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:48:27.606Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41322", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-25T01:48:09.909604Z"}}}], "references": [{"url": "https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:48:22.954Z"}}], "cna": {"title": "@astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed", "source": {"advisory": "GHSA-c57f-mm3j-27q9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "withastro", "product": "astro", "versions": [{"status": "affected", "version": "< 10.0.5"}]}], "references": [{"url": "https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9", "name": "https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-525", "description": "CWE-525: Use of Web Browser Cache Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T17:08:13.080Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41322", "state": "PUBLISHED", "dateUpdated": "2026-04-25T01:48:27.606Z", "dateReserved": "2026-04-20T14:01:46.671Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T17:08:13.080Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5."}], "id": "CVE-2026-41322", "lastModified": "2026-04-27T18:53:00.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T18:16:28.923", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-525"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.0.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "astro", "source": "cna", "vendor": "withastro"}, "product": "astro", "vendor": "withastro"}], "analysis": {"en": {"generated_at": "2026-04-28T06:01:18.884137+00:00", "value": {"mitigation_remediation": ["Upgrade the @astrojs/node adapter to version 10.0.5 or later to apply the vendor\u2011provided patch.", "Configure the web server to validate if-match headers and return a client\u2011error status (e.g., 400 or 412) instead of a server\u2011error when the header is malformed, preventing a cacheable error response.", "If the patch cannot be applied immediately, modify caching rules to prevent error responses from being stored or configure the cache to purge cached error responses as soon as they are returned."], "summary": {"action": "Update Astro to 10.0.5", "impact": "Cache Poisoning and Denial of Service"}, "threat_synthesis": {"affected_systems": "All installations using the withastro:astro framework with the Node adapter at a version earlier than 10.0.5 are susceptible. This includes any production or staging environment deploying SSR sites via @astrojs/node that have not applied the fix released in version 10.0.5.", "description_and_impact": "The Node adapter for Astro, @astrojs/node, mishandles requests that contain a malformed if-match header when fetching static JavaScript or CSS assets from the _astro path. Instead of returning the expected 412 Pre\u2011condition Failed response, the server issues a 500 Internal Server Error with a cache-control header that allows the error to be cached for one year. This cache poisoning causes every subsequent request to that asset\u2014regardless of any subsequent if-match header\u2014to be served the cached 500 response until the expiration period elapses. The practical effect is a denial of service for the affected resource and widespread availability degradation for the entire site.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.3, indicating a moderate severity, and an EPSS score of less than 1\u202f%, meaning the likelihood of exploitation in the wild is low. It is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending crafted HTTP requests with malformed if-match headers to an affected asset URL. No privileged authentication or code execution is required; the exploit is purely remote and functional. The primary consequence is the prolonged unavailability of the requested assets due to cached 500 responses."}}}}, "created": "2026-04-27T20:30:12.048739+00:00", "updated": "2026-04-28T06:15:24.134644+00:00", "vendors": ["withastro", "withastro$PRODUCT$astro"]}