Vulnerability	Vulnerable Version
M Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the `X-Forwarded-Host` header when using the `Astro.url` property without validation. An attacker can manipulate output content and potentially cause users to be redirected to malicious sites, allowing login credentials theft by sending crafted headers. Note: This is only exploitable if the application is deployed in on-demand/dynamic rendering mode. In case of using a caching proxy, any page which is cached could persist the malicious value for subsequent users. How to fix Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')? Upgrade `@astrojs/node` to version 9.4.5 or higher.	<9.4.5

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

@astrojs/node is a Deploy your site to a Node.js server

Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the X-Forwarded-Host header when using the Astro.url property without validation. An attacker can manipulate output content and potentially cause users to be redirected to malicious sites, allowing login credentials theft by sending crafted headers.

Note:

This is only exploitable if the application is deployed in on-demand/dynamic rendering mode.
In case of using a caching proxy, any page which is cached could persist the malicious value for subsequent users.

How to fix Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')?

Upgrade @astrojs/node to version 9.4.5 or higher.

<9.4.5

Go back to all versions of this package