Vulnerability	Vulnerable Version
M Directory Traversal astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Directory Traversal via a mismatch in path normalization between routing and middleware validation. An attacker can access protected routes by sending requests with URL-encoded path variants that bypass authentication checks. How to fix Directory Traversal? Upgrade `astro` to version 5.15.8 or higher.	<5.15.8
M Cross-site Scripting (XSS) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/_server-islands/[name]` endpoint when handling the `e`, `s` and `p` parameters. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious payloads into one of the parameters, which are rendered as a child of a tag whose name is derived from the absolute path of the island file. How to fix Cross-site Scripting (XSS)? Upgrade `astro` to version 5.15.8 or higher.	<5.15.8

Directory Traversal

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Directory Traversal via a mismatch in path normalization between routing and middleware validation. An attacker can access protected routes by sending requests with URL-encoded path variants that bypass authentication checks.

How to fix Directory Traversal?

Upgrade astro to version 5.15.8 or higher.

<5.15.8

Cross-site Scripting (XSS)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /_server-islands/[name] endpoint when handling the e, s and p parameters. An attacker can execute arbitrary scripts in the context of the user's browser by injecting malicious payloads into one of the parameters, which are rendered as a child of a tag whose name is derived from the absolute path of the island file.

How to fix Cross-site Scripting (XSS)?

Upgrade astro to version 5.15.8 or higher.

<5.15.8

Go back to all versions of this package