| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-54b2-m662-63d1 |
| vulnerability_id |
VCID-54b2-m662-63d1 |
| summary |
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/astro@4.16.17 |
| purl |
pkg:npm/astro@4.16.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7wau-f9fg-8fdf |
|
| 1 |
| vulnerability |
VCID-b4s1-kv89-3bb2 |
|
| 2 |
| vulnerability |
VCID-bz6r-5yej-3qha |
|
| 3 |
| vulnerability |
VCID-f73c-5tds-97ds |
|
| 4 |
| vulnerability |
VCID-g9xj-txj9-sug8 |
|
| 5 |
| vulnerability |
VCID-pbvu-bf73-u3ek |
|
| 6 |
| vulnerability |
VCID-qhy1-e5yu-mff5 |
|
| 7 |
| vulnerability |
VCID-u6ba-98xk-ybdx |
|
| 8 |
| vulnerability |
VCID-v78c-t2s8-skdb |
|
| 9 |
| vulnerability |
VCID-xbf5-y4wx-7ue1 |
|
| 10 |
| vulnerability |
VCID-y314-jwfh-bqdq |
|
| 11 |
| vulnerability |
VCID-yv41-uv7j-buf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/astro@4.16.17 |
|
|
| aliases |
CVE-2024-56140, GHSA-c4pw-33h3-35xw
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-54b2-m662-63d1 |
|
| 1 |
| url |
VCID-7wau-f9fg-8fdf |
| vulnerability_id |
VCID-7wau-f9fg-8fdf |
| summary |
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-61925, GHSA-5ff5-9fcw-vg88
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7wau-f9fg-8fdf |
|
| 2 |
| url |
VCID-b4s1-kv89-3bb2 |
| vulnerability_id |
VCID-b4s1-kv89-3bb2 |
| summary |
Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-64765, GHSA-ggxq-hp9w-j794
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b4s1-kv89-3bb2 |
|
| 3 |
| url |
VCID-bz6r-5yej-3qha |
| vulnerability_id |
VCID-bz6r-5yej-3qha |
| summary |
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/withastro/astro |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/withastro/astro |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/withastro/astro/pull/16457 |
| reference_id |
16457 |
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T18:29:40Z/ |
|
|
| url |
https://github.com/withastro/astro/pull/16457 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-45028, GHSA-xr5h-phrj-8vxv
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bz6r-5yej-3qha |
|
| 4 |
| url |
VCID-f73c-5tds-97ds |
| vulnerability_id |
VCID-f73c-5tds-97ds |
| summary |
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-64525, GHSA-hr2q-hp5q-x767
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f73c-5tds-97ds |
|
| 5 |
| url |
VCID-g9xj-txj9-sug8 |
| vulnerability_id |
VCID-g9xj-txj9-sug8 |
| summary |
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/withastro/astro |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/withastro/astro |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-33769, GHSA-g735-7g2w-hh3f
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g9xj-txj9-sug8 |
|
| 6 |
| url |
VCID-pbvu-bf73-u3ek |
| vulnerability_id |
VCID-pbvu-bf73-u3ek |
| summary |
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-41067, GHSA-j687-52p2-xcff
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pbvu-bf73-u3ek |
|
| 7 |
| url |
VCID-qhy1-e5yu-mff5 |
| vulnerability_id |
VCID-qhy1-e5yu-mff5 |
| summary |
Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-64757, GHSA-x3h8-62x9-952g
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qhy1-e5yu-mff5 |
|
| 8 |
| url |
VCID-u6ba-98xk-ybdx |
| vulnerability_id |
VCID-u6ba-98xk-ybdx |
| summary |
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the `dist/client` (referred to as `config.build.client` in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains `.map` files corresponding to the code that runs on the server. All **server-output** projects on Astro 5 versions **v5.0.3** through **v5.0.7**, that have **sourcemaps enabled**, either directly or through an add-on such as `sentry`, are affected. The fix for **server-output** projects was released in **astro@5.0.8**. Additionally, all **static-output** projects built using Astro 4 versions **4.16.17 or older**, or Astro 5 versions **5.0.8 or older**, that have **sourcemaps enabled** are also affected. The fix for **static-output** projects was released in **astro@5.0.9**, and backported to Astro v4 in **astro@4.16.18**. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for **server-output** projects was released in **astro@5.0.8**, and the fix for **static-output** projects was released in **astro@5.0.9** and backported to Astro v4 in **astro@4.16.18**. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/astro@4.16.18 |
| purl |
pkg:npm/astro@4.16.18 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7wau-f9fg-8fdf |
|
| 1 |
| vulnerability |
VCID-b4s1-kv89-3bb2 |
|
| 2 |
| vulnerability |
VCID-bz6r-5yej-3qha |
|
| 3 |
| vulnerability |
VCID-f73c-5tds-97ds |
|
| 4 |
| vulnerability |
VCID-g9xj-txj9-sug8 |
|
| 5 |
| vulnerability |
VCID-pbvu-bf73-u3ek |
|
| 6 |
| vulnerability |
VCID-qhy1-e5yu-mff5 |
|
| 7 |
| vulnerability |
VCID-v78c-t2s8-skdb |
|
| 8 |
| vulnerability |
VCID-xbf5-y4wx-7ue1 |
|
| 9 |
| vulnerability |
VCID-y314-jwfh-bqdq |
|
| 10 |
| vulnerability |
VCID-yv41-uv7j-buf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/astro@4.16.18 |
|
| 1 |
| url |
pkg:npm/astro@5.0.8 |
| purl |
pkg:npm/astro@5.0.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7wau-f9fg-8fdf |
|
| 1 |
| vulnerability |
VCID-b4s1-kv89-3bb2 |
|
| 2 |
| vulnerability |
VCID-bz6r-5yej-3qha |
|
| 3 |
| vulnerability |
VCID-f73c-5tds-97ds |
|
| 4 |
| vulnerability |
VCID-g9xj-txj9-sug8 |
|
| 5 |
| vulnerability |
VCID-pbvu-bf73-u3ek |
|
| 6 |
| vulnerability |
VCID-qhy1-e5yu-mff5 |
|
| 7 |
| vulnerability |
VCID-v78c-t2s8-skdb |
|
| 8 |
| vulnerability |
VCID-xbf5-y4wx-7ue1 |
|
| 9 |
| vulnerability |
VCID-y314-jwfh-bqdq |
|
| 10 |
| vulnerability |
VCID-yv41-uv7j-buf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/astro@5.0.8 |
|
|
| aliases |
CVE-2024-56159, GHSA-49w6-73cw-chjr
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u6ba-98xk-ybdx |
|
| 9 |
| url |
VCID-v78c-t2s8-skdb |
| vulnerability_id |
VCID-v78c-t2s8-skdb |
| summary |
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-65019, GHSA-fvmw-cj7j-j39q
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v78c-t2s8-skdb |
|
| 10 |
| url |
VCID-xbf5-y4wx-7ue1 |
| vulnerability_id |
VCID-xbf5-y4wx-7ue1 |
| summary |
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-64764, GHSA-wrwg-2hg8-v723
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xbf5-y4wx-7ue1 |
|
| 11 |
| url |
VCID-y314-jwfh-bqdq |
| vulnerability_id |
VCID-y314-jwfh-bqdq |
| summary |
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-66202, GHSA-whqg-ppgf-wp8c
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y314-jwfh-bqdq |
|
| 12 |
| url |
VCID-yv41-uv7j-buf8 |
| vulnerability_id |
VCID-yv41-uv7j-buf8 |
| summary |
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/withastro/astro |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
6.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/withastro/astro |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/astro@4.16.19 |
| purl |
pkg:npm/astro@4.16.19 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7wau-f9fg-8fdf |
|
| 1 |
| vulnerability |
VCID-b4s1-kv89-3bb2 |
|
| 2 |
| vulnerability |
VCID-bz6r-5yej-3qha |
|
| 3 |
| vulnerability |
VCID-f73c-5tds-97ds |
|
| 4 |
| vulnerability |
VCID-g9xj-txj9-sug8 |
|
| 5 |
| vulnerability |
VCID-pbvu-bf73-u3ek |
|
| 6 |
| vulnerability |
VCID-qhy1-e5yu-mff5 |
|
| 7 |
| vulnerability |
VCID-v78c-t2s8-skdb |
|
| 8 |
| vulnerability |
VCID-xbf5-y4wx-7ue1 |
|
| 9 |
| vulnerability |
VCID-y314-jwfh-bqdq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/astro@4.16.19 |
|
| 1 |
| url |
pkg:npm/astro@5.13.2 |
| purl |
pkg:npm/astro@5.13.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7wau-f9fg-8fdf |
|
| 1 |
| vulnerability |
VCID-b4s1-kv89-3bb2 |
|
| 2 |
| vulnerability |
VCID-bz6r-5yej-3qha |
|
| 3 |
| vulnerability |
VCID-f73c-5tds-97ds |
|
| 4 |
| vulnerability |
VCID-fzh9-5617-wkd5 |
|
| 5 |
| vulnerability |
VCID-g9xj-txj9-sug8 |
|
| 6 |
| vulnerability |
VCID-pbvu-bf73-u3ek |
|
| 7 |
| vulnerability |
VCID-qhy1-e5yu-mff5 |
|
| 8 |
| vulnerability |
VCID-v78c-t2s8-skdb |
|
| 9 |
| vulnerability |
VCID-xbf5-y4wx-7ue1 |
|
| 10 |
| vulnerability |
VCID-y314-jwfh-bqdq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/astro@5.13.2 |
|
|
| aliases |
CVE-2025-55303, GHSA-xf8x-j4p2-f749
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yv41-uv7j-buf8 |
|
|
|---|