Vulnerability	Vulnerable Version
M Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the `X-Forwarded-Host` header when using the `Astro.url` property without validation. An attacker can manipulate output content and potentially cause users to be redirected to malicious sites, allowing login credentials theft by sending crafted headers. Note: This is only exploitable if the application is deployed in on-demand/dynamic rendering mode. In case of using a caching proxy, any page which is cached could persist the malicious value for subsequent users. How to fix Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')? Upgrade `@astrojs/node` to version 9.4.5 or higher.	<9.4.5
M Open Redirect @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Open Redirect via the `trailingSlash` configuration in standalone mode with the Node deployment adapter. An attacker can redirect users to external sites by crafting URLs with double slashes, potentially leading to credential theft, malware distribution, or phishing attacks. Note: This is only exploitable if the Node deployment adapter is used in standalone mode and `trailingSlash` is set to "always" in the configuration. How to fix Open Redirect? Upgrade `@astrojs/node` to version 9.4.1 or higher.	<9.4.1

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

@astrojs/node is a Deploy your site to a Node.js server

Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the X-Forwarded-Host header when using the Astro.url property without validation. An attacker can manipulate output content and potentially cause users to be redirected to malicious sites, allowing login credentials theft by sending crafted headers.

Note:

This is only exploitable if the application is deployed in on-demand/dynamic rendering mode.
In case of using a caching proxy, any page which is cached could persist the malicious value for subsequent users.

How to fix Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')?

Upgrade @astrojs/node to version 9.4.5 or higher.

<9.4.5

Open Redirect

@astrojs/node is a Deploy your site to a Node.js server

Affected versions of this package are vulnerable to Open Redirect via the trailingSlash configuration in standalone mode with the Node deployment adapter. An attacker can redirect users to external sites by crafting URLs with double slashes, potentially leading to credential theft, malware distribution, or phishing attacks.

Note: This is only exploitable if the Node deployment adapter is used in standalone mode and trailingSlash is set to "always" in the configuration.

How to fix Open Redirect?

Upgrade @astrojs/node to version 9.4.1 or higher.

<9.4.1

Go back to all versions of this package