CVE-2024-56140
published 2024-12-18CVE-2024-56140: Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks…
PriorityP434medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
EPSS
0.21%
11.5th percentile
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astro | astro | < 4.16.17 | 4.16.17 |
| astro | astro | >= 0 < 4.16.17 | 4.16.17 |
| withastro | astro | < 4.16.17 | 4.16.17 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Atro CSRF Middleware Bypass (security.checkOrigin)
ghsa·2024-12-18
CVE-2024-56140 [MEDIUM] CWE-352 Atro CSRF Middleware Bypass (security.checkOrigin)
Atro CSRF Middleware Bypass (security.checkOrigin)
### Summary
A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.
### Details
When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)
For example, with the following Astro configuration:
```js
// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@astrojs/node';
export default defineConfig({
output: 'server',
security: { checkOrigin: true },
adapter: node({ mode: 'standalone' }),
});
```
A request like the following would be blocked if made from a different origin:
```js
// fetch
OSV
Atro CSRF Middleware Bypass (security.checkOrigin)
osv·2024-12-18
CVE-2024-56140 [MEDIUM] Atro CSRF Middleware Bypass (security.checkOrigin)
Atro CSRF Middleware Bypass (security.checkOrigin)
### Summary
A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.
### Details
When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)
For example, with the following Astro configuration:
```js
// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@astrojs/node';
export default defineConfig({
output: 'server',
security: { checkOrigin: true },
adapter: node({ mode: 'standalone' }),
});
```
A request like the following would be blocked if made from a different origin:
```js
// fetch
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requestshttps://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.tshttps://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514dehttps://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw
2024-12-18
Published