VYPR

npm package

astro

pkg:npm/astro

Vulnerabilities (17)

  • CVE-2026-45028MedMay 13, 2026
    affected < 6.1.10fixed 6.1.10

    Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one com

  • CVE-2026-41067MedApr 24, 2026
    affected < 6.1.6fixed 6.1.6

    Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements ca

  • CVE-2026-33769Mar 24, 2026
    affected >= 2.10.10, < 5.18.1fixed 5.18.1

    Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a

  • CVE-2025-66202Dec 8, 2025
    affected < 5.15.8fixed 5.15.8

    Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was

  • CVE-2025-64765Nov 19, 2025
    affected < 5.15.8fixed 5.15.8

    Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render

  • CVE-2025-64764Nov 19, 2025
    affected < 5.15.8fixed 5.15.8

    Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.

  • CVE-2025-65019Nov 19, 2025
    affected < 5.15.9fixed 5.15.9

    Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: pr

  • CVE-2025-64757Nov 19, 2025
    affected < 5.14.3fixed 5.14.3

    Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and al

  • CVE-2025-64745Nov 13, 2025
    affected >= 5.2.0, < 5.15.6fixed 5.15.6

    Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScrip

  • CVE-2025-64525Nov 13, 2025
    affected >= 2.16.0, < 5.15.5fixed 5.15.5

    Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most importan

  • CVE-2025-59837Oct 28, 2025
    affected >= 5.13.4, < 5.13.10fixed 5.13.10

    Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request

  • CVE-2025-61925Oct 10, 2025
    affected < 5.14.3fixed 5.14.3

    Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As

  • CVE-2025-55303Aug 19, 2025
    affected >= 5.0.0-alpha.0, < 5.13.2fixed 5.13.2

    Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built wit

  • CVE-2025-54793Aug 8, 2025
    affected >= 5.2.0, < 5.12.8fixed 5.12.8

    Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains

  • CVE-2024-56159Dec 19, 2024
    affected >= 5.0.0-alpha.0, < 5.0.8fixed 5.0.8

    Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a

  • CVE-2024-56140Dec 18, 2024
    affected < 4.16.17fixed 4.16.17

    Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However

  • CVE-2024-47885Oct 14, 2024
    affected >= 3.0.0, < 4.16.1fixed 4.16.1

    The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elem