Astro: Reflected XSS via unescaped slot name
Description
Astro fails to escape slot names in client:* directives, allowing reflected XSS via crafted slot name parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Astro fails to escape slot names in client:* directives, allowing reflected XSS via crafted slot name parameter.
Vulnerability
In Astro versions prior to 6.3.3, when a component uses a client:* directive, the slot name is interpolated into a data-astro-template attribute without HTML escaping. This occurs in packages/astro/src/runtime/server/render/component.ts at line 371, where the slot name key is directly inserted into the attribute value. The vulnerable code is: ` ${children[key]} `. Affected versions include Astro 6.3.1 and earlier; the fix was released in 6.3.3. [1][2]
Exploitation
An attacker can control the slot name via a query parameter (e.g., tab) in a page that passes it to a slot. The attacker crafts a payload that breaks out of the attribute context, closing the ` tag and injecting arbitrary HTML/JavaScript. No authentication is required; the attacker only needs to trick a user into visiting a crafted URL. The proof-of-concept uses the slot name abc"><!--, which when rendered produces: <!--">content`. [1][2]
Impact
Successful exploitation leads to reflected cross-site scripting (XSS) in the context of the victim's browser. The attacker can execute arbitrary JavaScript, potentially stealing cookies, session tokens, or performing actions on behalf of the user. This vulnerability is similar to GHSA-wrwg-2hg8-v723 but exploits a different injection point. [1][2]
Mitigation
The fix is to use the existing escapeHTML function on the slot name. The patched code becomes: ` ${children[key]} `. The vulnerability is fixed in Astro version 6.3.3. Users should upgrade to 6.3.3 or later. No workarounds are documented. [1][2]
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing HTML escaping of the slot name in the `data-astro-template` attribute allows an attacker to break out of the attribute context and inject arbitrary HTML."
Attack vector
An attacker can control the slot name via a user-supplied query parameter (e.g. `?tab=...`) that is passed unsanitized to a component using a `client:*` directive [ref_id=1][ref_id=2]. The unescaped slot name is written into a `data-astro-template` attribute, enabling the attacker to close the attribute and the `<template>` element, then inject arbitrary HTML such as `<img src=x onerror=confirm(document.domain)>`, resulting in reflected XSS during server-side rendering [ref_id=1].
Affected code
The vulnerable code is in `packages/astro/src/runtime/server/render/component.ts` at line 371, where the slot name (`key`) is interpolated directly into a `data-astro-template` attribute without HTML escaping [ref_id=1][ref_id=2]. This allows an attacker to break out of the attribute context and inject arbitrary HTML during SSR.
What the fix does
The patch wraps `key` with `escapeHTML(String(key))` before interpolating it into the attribute value [ref_id=1][ref_id=2]. This ensures that any HTML metacharacters in the slot name are properly encoded, preventing an attacker from injecting closing quotes, closing tags, or arbitrary markup. The existing `escapeHTML` function was already available in the codebase, so the fix is a minimal and targeted change.
Preconditions
- configThe application must use a component with a `client:*` directive (e.g. `client:load`) and accept attacker-controlled input as a named slot value.
- inputAn attacker must be able to supply a crafted `slot` value via an HTTP query parameter or other user-controllable input that is reflected into the rendered page.
- authNo authentication is required; the vulnerability can be triggered by any unauthenticated HTTP request to a page that reflects the slot name.
- networkThe target must be reachable over the network; a typical web-server setup is sufficient.
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.