AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-c57f-mm3j-27q9: Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed

mediumvulnerability

security

Source: GitHub Advisory DatabaseApril 23, 2026CVE-2026-41322

Summary

Astro versions 5.14.1 and Node 9.4.4 have a cache poisoning vulnerability where sending a malformed `if-match` header (a request validation header) to static JavaScript or CSS files causes the server to return a 500 error with a one-year cache duration instead of the correct 412 error with no cache headers. This means all future requests to that file get cached error responses, breaking the application until the cache expires.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

April 23, 2026

Classification

Attack SophisticationTrivial

Affected Packages

@astrojs/node@< 10.0.5 (fixed: 10.0.5)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-c57f-mm3j-27q9

First tracked: April 23, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%