Unintended Proxy or Intermediary ('Confused Deputy') Affecting @astrojs/vercel package, versions <10.0.2


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.33% (25th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-ASTROJSVERCEL-15763367
  • published25 Mar 2026
  • disclosed24 Mar 2026
  • creditjp_soba

Introduced: 24 Mar 2026

CVE-2026-33768  (opens in a new tab)
CWE-441  (opens in a new tab)

How to fix?

Upgrade @astrojs/vercel to version 10.0.2 or higher.

Overview

@astrojs/vercel is a Deploy your site to Vercel

Affected versions of this package are vulnerable to Unintended Proxy or Intermediary ('Confused Deputy') via the x-astro-path header or x_astro_path query parameter, which allows overriding internal request paths without authentication. An attacker can access restricted endpoints or bypass platform-level path restrictions by crafting requests that manipulate these parameters, potentially reaching sensitive routes such as /admin/* even when firewall rules are in place.

Note: This can only be executed when no src/middleware.ts is defined, or middleware is not using Edge mode.

CVSS Base Scores

version 4.0
version 3.1