Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/astro@6.1.10
purl pkg:npm/astro@6.1.10
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-bz6r-5yej-3qha Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10. CVE-2026-45028
GHSA-xr5h-phrj-8vxv

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-13T06:30:20.805407+00:00 GHSA Importer Fixing VCID-bz6r-5yej-3qha https://github.com/advisories/GHSA-xr5h-phrj-8vxv 38.6.0
2026-06-12T22:29:37.123377+00:00 GitLab Importer Fixing VCID-bz6r-5yej-3qha https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/astro/CVE-2026-45028.yml 38.6.0
2026-06-12T07:51:35.949115+00:00 GithubOSV Importer Fixing VCID-bz6r-5yej-3qha https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xr5h-phrj-8vxv/GHSA-xr5h-phrj-8vxv.json 38.6.0