astro 6.4.4

Direct Vulnerabilities

Known vulnerabilities in the astro package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `prerenderedErrorPageFetch`. An attacker can access sensitive information or interact with internal resources by sending a crafted request with a malicious `Host` header, which causes the server to fetch error pages from an attacker-controlled host and reflect the response back to the client. Note: This is only exploitable if the deployment uses prerendered error pages and the internal `createRequestFromNodeRequest` builder with `app.render()` without overriding the default error page fetch behavior. How to fix Server-side Request Forgery (SSRF)? Upgrade `astro` to version 6.4.6 or higher.	<6.4.6
H Cross-site Scripting (XSS) astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `addAttribute` function, which interpolates unescaped object keys as HTML attribute names when spreading props onto elements. An attacker can execute arbitrary JavaScript in the victim's browser session by supplying malicious object keys that break out of the attribute context and inject event handlers or new elements. Note: This is only exploitable if attacker-controlled input can influence the keys of an object that is spread onto an HTML element using Astro's `{...props}` attribute spreading feature. This requires SSR or compromised data sources at build time. How to fix Cross-site Scripting (XSS)? Upgrade `astro` to version 6.4.6 or higher.	<6.4.6

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the prerenderedErrorPageFetch. An attacker can access sensitive information or interact with internal resources by sending a crafted request with a malicious Host header, which causes the server to fetch error pages from an attacker-controlled host and reflect the response back to the client.

Note: This is only exploitable if the deployment uses prerendered error pages and the internal createRequestFromNodeRequest builder with app.render() without overriding the default error page fetch behavior.

How to fix Server-side Request Forgery (SSRF)?

Upgrade astro to version 6.4.6 or higher.

<6.4.6

Cross-site Scripting (XSS)

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the addAttribute function, which interpolates unescaped object keys as HTML attribute names when spreading props onto elements. An attacker can execute arbitrary JavaScript in the victim's browser session by supplying malicious object keys that break out of the attribute context and inject event handlers or new elements.

Note: This is only exploitable if attacker-controlled input can influence the keys of an object that is spread onto an HTML element using Astro's {...props} attribute spreading feature. This requires SSR or compromised data sources at build time.

How to fix Cross-site Scripting (XSS)?

Upgrade astro to version 6.4.6 or higher.

<6.4.6

astro@6.4.4

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically