@astrojs/node 0.0.0-toolbar-absolute-paths-20240126155246

Direct Vulnerabilities

Known vulnerabilities in the @astrojs/node package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `/_server-islands/[name]` route handler, which buffers and parses the entire request body as JSON without enforcing a size limit. An attacker can cause the server process to exhaust available memory and crash by sending a single unauthenticated request with a crafted payload containing many small JSON objects, resulting in significant memory amplification. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `@astrojs/node` to version 10.0.0 or higher.	<10.0.0
M Relative Path Traversal @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Relative Path Traversal via the `href` parameter in the image optimization endpoint during development mode. An attacker can access arbitrary local image files readable by the Node.js process by sending crafted HTTP requests specifying absolute file paths. How to fix Relative Path Traversal? Upgrade `@astrojs/node` to version 9.4.5 or higher.	<9.4.5
M Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the `X-Forwarded-Host` header when using the `Astro.url` property without validation. An attacker can manipulate output content and potentially cause users to be redirected to malicious sites, allowing login credentials theft by sending crafted headers. Note: This is only exploitable if the application is deployed in on-demand/dynamic rendering mode. In case of using a caching proxy, any page which is cached could persist the malicious value for subsequent users. How to fix Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')? Upgrade `@astrojs/node` to version 9.4.5 or higher.	<9.4.5
M Open Redirect @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Open Redirect via the `trailingSlash` configuration in standalone mode with the Node deployment adapter. An attacker can redirect users to external sites by crafting URLs with double slashes, potentially leading to credential theft, malware distribution, or phishing attacks. Note: This is only exploitable if the Node deployment adapter is used in standalone mode and `trailingSlash` is set to "always" in the configuration. How to fix Open Redirect? Upgrade `@astrojs/node` to version 9.4.1 or higher.	<9.4.1

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

@astrojs/node is a Deploy your site to a Node.js server

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /_server-islands/[name] route handler, which buffers and parses the entire request body as JSON without enforcing a size limit. An attacker can cause the server process to exhaust available memory and crash by sending a single unauthenticated request with a crafted payload containing many small JSON objects, resulting in significant memory amplification.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade @astrojs/node to version 10.0.0 or higher.

<10.0.0

Relative Path Traversal

@astrojs/node is a Deploy your site to a Node.js server

Affected versions of this package are vulnerable to Relative Path Traversal via the href parameter in the image optimization endpoint during development mode. An attacker can access arbitrary local image files readable by the Node.js process by sending crafted HTTP requests specifying absolute file paths.

How to fix Relative Path Traversal?

Upgrade @astrojs/node to version 9.4.5 or higher.

<9.4.5

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

@astrojs/node is a Deploy your site to a Node.js server

Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the X-Forwarded-Host header when using the Astro.url property without validation. An attacker can manipulate output content and potentially cause users to be redirected to malicious sites, allowing login credentials theft by sending crafted headers.

Note:

This is only exploitable if the application is deployed in on-demand/dynamic rendering mode.
In case of using a caching proxy, any page which is cached could persist the malicious value for subsequent users.

How to fix Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')?

Upgrade @astrojs/node to version 9.4.5 or higher.

<9.4.5

Open Redirect

@astrojs/node is a Deploy your site to a Node.js server

Affected versions of this package are vulnerable to Open Redirect via the trailingSlash configuration in standalone mode with the Node deployment adapter. An attacker can redirect users to external sites by crafting URLs with double slashes, potentially leading to credential theft, malware distribution, or phishing attacks.

Note: This is only exploitable if the Node deployment adapter is used in standalone mode and trailingSlash is set to "always" in the configuration.

How to fix Open Redirect?

Upgrade @astrojs/node to version 9.4.1 or higher.

<9.4.1

@astrojs/node@0.0.0-toolbar-absolute-paths-20240126155246

Deploy your site to a Node.js server

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically