CVE-2026-41322
published 2026-04-24CVE-2026-41322: @astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an…
PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.24%
14.7th percentile
@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astrojs | node | >= 0 < 10.0.5 | 10.0.5 |
| withastro | astro | < 10.0.5 | 10.0.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
withastro up to 10.0.4 _astro web browser cache containing sensitive information (GHSA-c57f-mm3j-27q9)
vuldb·2026-04-24·CVSS 5.3
CVE-2026-41322 [MEDIUM] withastro up to 10.0.4 _astro web browser cache containing sensitive information (GHSA-c57f-mm3j-27q9)
A vulnerability marked as problematic has been reported in withastro astro up to 10.0.4. Affected by this issue is the function _astro. This manipulation causes use of web browser cache containing sensitive information.
This vulnerability appears as CVE-2026-41322. The attack may be initiated remotely. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed
ghsa·2026-04-23
CVE-2026-41322 [MEDIUM] CWE-525 Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed
Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed
### Summary
Requesting a static JS/CSS resource from the `_astro` path with an incorrect or malformed `if-match` header returns a `500` error with a one-year cache lifetime instead of `412` in some cases. As a result, all subsequent requests to that file — regardless of the `if-match` header — will be served a 5xx error instead of the file until the cache expires.
Sending an incorrect or malformed `if-match` header should always return a `412` error without any cache headers, which is not the current behavior.
### Affected Versions
- `[email protected]`
- `@astrojs/[email protected]`
### Proof of Concept
Run the following command:
```
curl -s -o /dev/null -D - /_astro/_slug_.UTbyeVfw.css -H "if-match: xxx"
`
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-24
Published