astro 0.0.0-content-collections-intellisense-20240808164539 vulnerabilities

Known vulnerabilities in the astro package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/_image` endpoint. An attacker can cause loading of unauthorized third-party images, including potentially malicious SVG files, to be served by bypassing domain restrictions using protocol-relative URLs. This can lead to the execution of arbitrary scripts in the context of the affected site if a user follows a crafted link. Note: This vulnerability is only exploitable in projects using the `@astrojs/node` adapter and on-demand rendering. How to fix Cross-site Scripting (XSS)? Upgrade `astro` to version 4.16.19, 5.13.2 or higher.	<4.16.19>=5.0.0-alpha.0 <5.13.2
H Storage of File with Sensitive Data Under Web Root astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Storage of File with Sensitive Data Under Web Root due to the exposure of sourcemap files in publicly accessible directories during the build process. An attacker can access and reconstruct server-side source code by making unauthorized HTTP GET requests to the server hosting the website. Note: This is only exploitable if sourcemaps are enabled. How to fix Storage of File with Sensitive Data Under Web Root? Upgrade `astro` to version 4.16.18, 5.0.8 or higher.	<4.16.18>=5.0.0-alpha.0 <5.0.8
M Cross-site Request Forgery (CSRF) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the function `createOriginCheckMiddleware` due to improper validation of the `content-type` header How to fix Cross-site Request Forgery (CSRF)? Upgrade `astro` to version 4.16.17 or higher.	<4.16.17
M Cross-site Scripting (XSS) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization and insecure usage of `JSON.stringify` method in the `server-islands.ts` component. How to fix Cross-site Scripting (XSS)? Upgrade `astro` to version 4.12.2 or higher.	<4.12.2

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /_image endpoint. An attacker can cause loading of unauthorized third-party images, including potentially malicious SVG files, to be served by bypassing domain restrictions using protocol-relative URLs. This can lead to the execution of arbitrary scripts in the context of the affected site if a user follows a crafted link.

Note: This vulnerability is only exploitable in projects using the @astrojs/node adapter and on-demand rendering.

How to fix Cross-site Scripting (XSS)?

Upgrade astro to version 4.16.19, 5.13.2 or higher.

<4.16.19>=5.0.0-alpha.0 <5.13.2

Storage of File with Sensitive Data Under Web Root

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Storage of File with Sensitive Data Under Web Root due to the exposure of sourcemap files in publicly accessible directories during the build process. An attacker can access and reconstruct server-side source code by making unauthorized HTTP GET requests to the server hosting the website.

Note:

This is only exploitable if sourcemaps are enabled.

How to fix Storage of File with Sensitive Data Under Web Root?

Upgrade astro to version 4.16.18, 5.0.8 or higher.

<4.16.18>=5.0.0-alpha.0 <5.0.8

Cross-site Request Forgery (CSRF)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the function createOriginCheckMiddleware due to improper validation of the content-type header

How to fix Cross-site Request Forgery (CSRF)?

Upgrade astro to version 4.16.17 or higher.

<4.16.17

Cross-site Scripting (XSS)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization and insecure usage of JSON.stringify method in the server-islands.ts component.

How to fix Cross-site Scripting (XSS)?

Upgrade astro to version 4.12.2 or higher.

<4.12.2

astro@0.0.0-content-collections-intellisense-20240808164539 vulnerabilities

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

How to fix?