astro 0.0.0-compiler-20219261822 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the astro package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Use of Non-Canonical URL Paths for Authorization Decisions astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions due to improper URL decoding logic. The pathname validation used for protecting routes decodes the request path only once, allowing double-encoded sequences to bypass path-based authentication checks. An attacker can exploit this by submitting double-encoded URLs to access protected routes such as /admin or /api/internal, enabling unauthorized access to restricted functionality. Note: There has been an attempt to fix this vulnerability in version 5.15.8 following CVE-2025-64765, but the fix is insufficient. How to fix Use of Non-Canonical URL Paths for Authorization Decisions? Upgrade `astro` to version 5.16.3 or higher.	<5.16.3
M Directory Traversal astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Directory Traversal via a mismatch in path normalization between routing and middleware validation. An attacker can access protected routes by sending requests with URL-encoded path variants that bypass authentication checks. How to fix Directory Traversal? Upgrade `astro` to version 5.15.8 or higher.	<5.15.8
M Relative Path Traversal astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Relative Path Traversal via the `href` parameter in the image optimization endpoint during development mode. An attacker can access arbitrary local image files readable by the Node.js process by sending crafted HTTP requests specifying absolute file paths. How to fix Relative Path Traversal? Upgrade `astro` to version 5.14.3 or higher.	<5.14.3
M Cross-site Scripting (XSS) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/_server-islands/[name]` endpoint when handling the `e`, `s` and `p` parameters. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious payloads into one of the parameters, which are rendered as a child of a tag whose name is derived from the absolute path of the island file. How to fix Cross-site Scripting (XSS)? Upgrade `astro` to version 5.15.8 or higher.	<5.15.8
M Server-side Request Forgery (SSRF) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `x-forwarded-proto` and `x-forwarded-port` headers due to improper input sanitization when constructing URLs. An attacker can bypass path-based middleware protections, poison caches, or perform server-side requests by manipulating these headers. Note: This is also a bypass of the fix for CVE-2025-61925. How to fix Server-side Request Forgery (SSRF)? Upgrade `astro` to version 5.15.5 or higher.	<5.15.5
M Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the `X-Forwarded-Host` header when using the `Astro.url` property without validation. An attacker can manipulate output content and potentially cause users to be redirected to malicious sites, allowing login credentials theft by sending crafted headers. Note: This is only exploitable if the application is deployed in on-demand/dynamic rendering mode. In case of using a caching proxy, any page which is cached could persist the malicious value for subsequent users. How to fix Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')? Upgrade `astro` to version 5.14.3 or higher.	<5.14.3
M Cross-site Scripting (XSS) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/_image` endpoint. An attacker can cause loading of unauthorized third-party images, including potentially malicious SVG files, to be served by bypassing domain restrictions using protocol-relative URLs. This can lead to the execution of arbitrary scripts in the context of the affected site if a user follows a crafted link. Note: This vulnerability is only exploitable in projects using the `@astrojs/node` adapter and on-demand rendering. How to fix Cross-site Scripting (XSS)? Upgrade `astro` to version 4.16.19, 5.13.2 or higher.	<4.16.19>=5.0.0-alpha.0 <5.13.2
H Storage of File with Sensitive Data Under Web Root astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Storage of File with Sensitive Data Under Web Root due to the exposure of sourcemap files in publicly accessible directories during the build process. An attacker can access and reconstruct server-side source code by making unauthorized HTTP GET requests to the server hosting the website. Note: This is only exploitable if sourcemaps are enabled. How to fix Storage of File with Sensitive Data Under Web Root? Upgrade `astro` to version 4.16.18, 5.0.8 or higher.	<4.16.18>=5.0.0-alpha.0 <5.0.8
M Cross-site Request Forgery (CSRF) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the function `createOriginCheckMiddleware` due to improper validation of the `content-type` header How to fix Cross-site Request Forgery (CSRF)? Upgrade `astro` to version 4.16.17 or higher.	<4.16.17
M Cross-site Scripting (XSS) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization and insecure usage of `JSON.stringify` method in the `server-islands.ts` component. How to fix Cross-site Scripting (XSS)? Upgrade `astro` to version 4.12.2 or higher.	<4.12.2

Vulnerability

Vulnerable Version

Use of Non-Canonical URL Paths for Authorization Decisions

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions due to improper URL decoding logic. The pathname validation used for protecting routes decodes the request path only once, allowing double-encoded sequences to bypass path-based authentication checks. An attacker can exploit this by submitting double-encoded URLs to access protected routes such as /admin or /api/internal, enabling unauthorized access to restricted functionality.

Note: There has been an attempt to fix this vulnerability in version 5.15.8 following CVE-2025-64765, but the fix is insufficient.

How to fix Use of Non-Canonical URL Paths for Authorization Decisions?

Upgrade astro to version 5.16.3 or higher.

<5.16.3

Directory Traversal

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Directory Traversal via a mismatch in path normalization between routing and middleware validation. An attacker can access protected routes by sending requests with URL-encoded path variants that bypass authentication checks.

How to fix Directory Traversal?

Upgrade astro to version 5.15.8 or higher.

<5.15.8

Relative Path Traversal

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Relative Path Traversal via the href parameter in the image optimization endpoint during development mode. An attacker can access arbitrary local image files readable by the Node.js process by sending crafted HTTP requests specifying absolute file paths.

How to fix Relative Path Traversal?

Upgrade astro to version 5.14.3 or higher.

<5.14.3

Cross-site Scripting (XSS)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /_server-islands/[name] endpoint when handling the e, s and p parameters. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious payloads into one of the parameters, which are rendered as a child of a tag whose name is derived from the absolute path of the island file.

How to fix Cross-site Scripting (XSS)?

Upgrade astro to version 5.15.8 or higher.

<5.15.8

Server-side Request Forgery (SSRF)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the x-forwarded-proto and x-forwarded-port headers due to improper input sanitization when constructing URLs. An attacker can bypass path-based middleware protections, poison caches, or perform server-side requests by manipulating these headers.

Note:

This is also a bypass of the fix for CVE-2025-61925.

How to fix Server-side Request Forgery (SSRF)?

Upgrade astro to version 5.15.5 or higher.

<5.15.5

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the X-Forwarded-Host header when using the Astro.url property without validation. An attacker can manipulate output content and potentially cause users to be redirected to malicious sites, allowing login credentials theft by sending crafted headers.

Note:

This is only exploitable if the application is deployed in on-demand/dynamic rendering mode.
In case of using a caching proxy, any page which is cached could persist the malicious value for subsequent users.

How to fix Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')?

Upgrade astro to version 5.14.3 or higher.

<5.14.3

Cross-site Scripting (XSS)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /_image endpoint. An attacker can cause loading of unauthorized third-party images, including potentially malicious SVG files, to be served by bypassing domain restrictions using protocol-relative URLs. This can lead to the execution of arbitrary scripts in the context of the affected site if a user follows a crafted link.

Note: This vulnerability is only exploitable in projects using the @astrojs/node adapter and on-demand rendering.

How to fix Cross-site Scripting (XSS)?

Upgrade astro to version 4.16.19, 5.13.2 or higher.

<4.16.19>=5.0.0-alpha.0 <5.13.2

Storage of File with Sensitive Data Under Web Root

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Storage of File with Sensitive Data Under Web Root due to the exposure of sourcemap files in publicly accessible directories during the build process. An attacker can access and reconstruct server-side source code by making unauthorized HTTP GET requests to the server hosting the website.

Note:

This is only exploitable if sourcemaps are enabled.

How to fix Storage of File with Sensitive Data Under Web Root?

Upgrade astro to version 4.16.18, 5.0.8 or higher.

<4.16.18>=5.0.0-alpha.0 <5.0.8

Cross-site Request Forgery (CSRF)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the function createOriginCheckMiddleware due to improper validation of the content-type header

How to fix Cross-site Request Forgery (CSRF)?

Upgrade astro to version 4.16.17 or higher.

<4.16.17

Cross-site Scripting (XSS)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization and insecure usage of JSON.stringify method in the server-islands.ts component.

How to fix Cross-site Scripting (XSS)?

Upgrade astro to version 4.12.2 or higher.

<4.12.2

astro@0.0.0-compiler-20219261822 vulnerabilities

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically