VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-54b2-m662-63d1

Essentials
Severities (18)
References (8)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-54b2-m662-63d1
Aliases	CVE-2024-56140 GHSA-c4pw-33h3-35xw
Summary	Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-352	Cross-Site Request Forgery (CSRF)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00196	https://api.first.org/data/v1/epss?cve=CVE-2024-56140
epss	0.00196	https://api.first.org/data/v1/epss?cve=CVE-2024-56140
cvssv3.1	5.9	https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
generic_textual	MODERATE	https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
ssvc	Track	https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
cvssv3.1	5.9	https://github.com/withastro/astro
generic_textual	MODERATE	https://github.com/withastro/astro
cvssv3.1	5.9	https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts
generic_textual	MODERATE	https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts
ssvc	Track	https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts
cvssv3.1	5.9	https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de
generic_textual	MODERATE	https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de
ssvc	Track	https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de
cvssv3.1	5.9	https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw
generic_textual	MODERATE	https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw
ssvc	Track	https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw
cvssv3.1	5.9	https://nvd.nist.gov/vuln/detail/CVE-2024-56140
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-56140

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-56140
		https://github.com/withastro/astro
		https://nvd.nist.gov/vuln/detail/CVE-2024-56140
CORS#simple_requests		https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
e7d14c374b9d45e27089994a4eb72186d05514de		https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de
GHSA-c4pw-33h3-35xw		https://github.com/advisories/GHSA-c4pw-33h3-35xw
GHSA-c4pw-33h3-35xw		https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw
middlewares.ts		https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N Found at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-18T21:03:26Z/ Found at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N Found at https://github.com/withastro/astro

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N Found at https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-18T21:03:26Z/ Found at https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N Found at https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-18T21:03:26Z/ Found at https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N Found at https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-18T21:03:26Z/ Found at https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-56140

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.41424
EPSS Score	0.00196
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:34:18.463751+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/56xxx/CVE-2024-56140.json	38.6.0