Astro: XSS via Unescaped Attribute Names in Spread Props
Description
Astro's SSR spreadAttributes escapes attribute values but not keys, enabling XSS when object keys are attacker-controlled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Astro's SSR spreadAttributes escapes attribute values but not keys, enabling XSS when object keys are attacker-controlled.
Vulnerability
The spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. The vulnerable code is in packages/astro/src/runtime/server/render/util.ts (lines 81–141) and packages/astro/src/runtime/server/index.ts (lines 91–92). When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes. Affected versions are those that include the unpatched spreadAttributes implementation; no specific version range is provided in the available references [1][2].
Exploitation
An attacker needs to control the keys of the object spread onto an HTML element. For example, an SSR page that parses Astro.url.searchParams into a JSON object and spreads it onto a ` allows the attacker to supply a malicious query string such as ?props={"onmouseover":"alert(1)"}. The Object.entries() loop passes each key directly to addAttribute, which renders the key unescaped. A crafted key like " onclick="alert(1)` can break out of the attribute context and inject event handlers or new HTML elements [1][2].
Impact
Successful exploitation leads to cross-site scripting (XSS). An attacker can inject arbitrary HTML attributes, including event handlers like onmouseover, onclick, or completely break the attribute context to introduce new script tags or elements. This results in arbitrary JavaScript execution in the context of the user's session, potentially leading to data theft, session hijacking, or defacement [1][2].
Mitigation
No fixed version is explicitly stated in the available references. As a workaround, developers should avoid spreading user-controlled object keys directly onto HTML elements. Keys should be sanitized or validated before being passed to the component. Server-side rendering pages that accept untrusted input via JSON.parse(Astro.url.searchParams.get('props')) should not use the spread syntax without filtering. The Astro team has acknowledged the issue in the GitHub advisory [1][2]; users are advised to monitor for a patched release.
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing escaping of attribute names in `addAttribute` allows injection of arbitrary HTML attributes via object keys."
Attack vector
An attacker supplies a JSON object whose keys contain a double-quote character followed by an event handler (e.g., `x" onmousemove="alert(document.cookie)" y`). When a developer uses the spread syntax `{...props}` on an HTML element, the `spreadAttributes` function iterates over the object keys and passes them to `addAttribute`, which interpolates the key into the HTML output as ` ${key}="..."`. The injected double-quote breaks out of the attribute context, allowing arbitrary HTML attributes or event handlers to be injected. This can be triggered via URL parameters in SSR mode or via compromised data sources (API, CMS, database) in static builds.
Affected code
The vulnerability resides in `addAttribute` at `packages/astro/src/runtime/server/render/util.ts:81-141` and `spreadAttributes` at `packages/astro/src/runtime/server/index.ts:91-92`. The `addAttribute` function interpolates the attribute name `key` directly into the HTML template string without escaping, while `spreadAttributes` iterates over object entries and passes each key to `addAttribute` unchanged.
What the fix does
The advisory does not include a published patch. The fix would need to sanitize or escape the `key` parameter inside `addAttribute` before interpolating it into the HTML template string, or validate that the key contains only safe characters (e.g., alphanumeric and hyphens) before rendering. Until a patch is released, developers must avoid spreading untrusted object keys onto HTML elements.
Preconditions
- configThe application must use the spread syntax `{...props}` on an HTML element where `props` originates from an untrusted source (URL parameters, API response, CMS data, etc.).
- inputIn SSR mode, the attacker can supply the malicious object via URL query parameters. In SSG mode, the attacker must compromise a build-time data source (API, CMS, database).
- authNo authentication is required when the attack is delivered via URL parameters in SSR mode.
- networkThe attacker must be able to send a crafted HTTP request to the Astro server (SSR) or inject malicious data into the build pipeline (SSG).
Reproduction
Create an SSR Astro page (`src/pages/index.astro`) with: ```astro --- const props = JSON.parse(Astro.url.searchParams.get('props') || '{}'); --- <html> <body> <h1>Hello</h1> <div {...props}>Move mouse here</div> </body> </html> ``` Enable SSR in `astro.config.mjs` with `output: 'server'`. Start the dev server and visit: ``` http://localhost:4321/?props=%7B%22x%5C%22%20onmousemove%3D%5C%22alert(document.cookie)%5C%22%20y%22%3A%22%22%7D ``` The rendered HTML contains `<div x" onmousemove="alert(document.cookie)" y="">Move mouse here</div>`, and moving the mouse over the div executes the JavaScript.
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.