astro's client-side router has DOM Clobbering Gadget that leads to XSS
Description
The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., iframe tags with unsanitized name attributes) on the destination pages. This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with ViewTransitions and store the user-inserted scriptless HTML tags without properly sanitizing the name attributes on the page. Version 4.16.1 contains a patch for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
astronpm | >= 3.0.0, < 4.16.1 | 4.16.1 |
Affected products
1Patches
1a4ffbfaa5cb4Ensure router only targets scripts for execution (#12177)
5 files changed · +17 −4
.changeset/nervous-peaches-sort.md+7 −0 added@@ -0,0 +1,7 @@ +--- +'astro': patch +--- + +Ensure we target scripts for execution in the router + +Using `document.scripts` is unsafe because if the application has a `name="scripts"` this will shadow the built-in `document.scripts`. Fix is to use `getElementsByTagName` to ensure we're only grabbing real scripts.
packages/astro/e2e/fixtures/view-transitions/src/assets/astro-build.mp4+0 −0 addedpackages/astro/e2e/fixtures/view-transitions/src/components/Video.astro+5 −2 modified@@ -1,3 +1,6 @@ -<video controls="" autoplay="" name="media" transition:persist transition:name="video" autoplay> - <source src="https://ia804502.us.archive.org/33/items/GoldenGa1939_3/GoldenGa1939_3_512kb.mp4" type="video/mp4"> +--- +import vidUrl from '../assets/astro-build.mp4'; +--- +<video controls="" autoplay="" transition:persist transition:name="video" autoplay> + <source src={vidUrl} type="video/mp4"> </video>
packages/astro/e2e/fixtures/view-transitions/src/pages/one.astro+3 −0 modified@@ -20,4 +20,7 @@ import Layout from '../components/Layout.astro'; </custom-a> <div id="test">test content</div> + + <!-- This ensures we're correctly grabbing just scripts for execution --> + <div name="scripts"></div> </Layout>
packages/astro/src/transitions/router.ts+2 −2 modified@@ -134,7 +134,7 @@ export function getFallback(): Fallback { function runScripts() { let wait = Promise.resolve(); - for (const script of Array.from(document.scripts)) { + for (const script of document.getElementsByTagName('script')) { if (script.dataset.astroExec === '') continue; const type = script.getAttribute('type'); if (type && type !== 'module' && type !== 'text/javascript') continue; @@ -643,7 +643,7 @@ if (inBrowser) { ); } } - for (const script of document.scripts) { + for (const script of document.getElementsByTagName('script')) { script.dataset.astroExec = ''; } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m85w-3h95-hcf9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47885ghsaADVISORY
- github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.tsghsax_refsource_MISCWEB
- github.com/withastro/astro/commit/a4ffbfaa5cb460c12bd486fd75e36147f51d3e5eghsax_refsource_MISCWEB
- github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.