astro 5.18.2

Direct Vulnerabilities

Known vulnerabilities in the astro package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Reusing a Nonce, Key Pair in Encryption astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Reusing a Nonce, Key Pair in Encryption of server island parameters. An attacker can inject malicious HTML or script content into a component by replaying encrypted values between props and slots across different components. Note: This is only exploitable if the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop in a dynamically rendered page. How to fix Reusing a Nonce, Key Pair in Encryption? Upgrade `astro` to version 6.1.10 or higher.	<6.1.10
M Cross-site Scripting (XSS) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `defineScriptVars` function due to incomplete sanitization of closing `</script>` tags within injected variables. An attacker can execute arbitrary JavaScript in the victim's browser by supplying specially crafted input that bypasses the case-sensitive regex, resulting in early closure of the script block and injection of attacker-controlled HTML or JavaScript. How to fix Cross-site Scripting (XSS)? Upgrade `astro` to version 6.1.6 or higher.	<6.1.6
H Allocation of Resources Without Limits or Throttling astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `/_server-islands/[name]` route handler, which buffers and parses the entire request body as JSON without enforcing a size limit. An attacker can cause the server process to exhaust available memory and crash by sending a single unauthenticated request with a crafted payload containing many small JSON objects, resulting in significant memory amplification. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `astro` to version 6.0.0-beta.20 or higher.	<6.0.0-beta.20

Vulnerability

Vulnerable Version

Reusing a Nonce, Key Pair in Encryption

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Reusing a Nonce, Key Pair in Encryption of server island parameters. An attacker can inject malicious HTML or script content into a component by replaying encrypted values between props and slots across different components.

Note: This is only exploitable if the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop in a dynamically rendered page.

How to fix Reusing a Nonce, Key Pair in Encryption?

Upgrade astro to version 6.1.10 or higher.

<6.1.10

Cross-site Scripting (XSS)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the defineScriptVars function due to incomplete sanitization of closing </script> tags within injected variables. An attacker can execute arbitrary JavaScript in the victim's browser by supplying specially crafted input that bypasses the case-sensitive regex, resulting in early closure of the script block and injection of attacker-controlled HTML or JavaScript.

How to fix Cross-site Scripting (XSS)?

Upgrade astro to version 6.1.6 or higher.

<6.1.6

Allocation of Resources Without Limits or Throttling

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /_server-islands/[name] route handler, which buffers and parses the entire request body as JSON without enforcing a size limit. An attacker can cause the server process to exhaust available memory and crash by sending a single unauthenticated request with a crafted payload containing many small JSON objects, resulting in significant memory amplification.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade astro to version 6.0.0-beta.20 or higher.

<6.0.0-beta.20

astro@5.18.2

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically