cbcvebase.
CVE-2024-56159
published 2024-12-19

CVE-2024-56159: Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code…

PriorityP179medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.47%
70.4th percentile
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the `dist/client` (referred to as `config.build.client` in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains `.map` files corresponding to the code that runs on the server. All **server-output** projects on Astro 5 versions **v5.0.3** through **v5.0.7**, that have **sourcemaps enabled**, either directly or through an add-on such as `sentry`, are affected. The fix for **server-output** projects was released in **[email protected]**. Additionally, all **static-output** projects built using Astro 4 versions **4.16.17 or older**, or Astro 5 versions **5.0.8 or older**, that have **sourcemaps enabled** are also affected. The fix for **static-output** projects was released in **[email protected]**, and backported to Astro v4 in **[email protected]**. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via

Affected

6 ranges
VendorProductVersion rangeFixed in
astroastro< 4.16.184.16.18
astroastro>= 0 < 4.16.184.16.18
astroastro>= 5.0.0 < 5.0.85.0.8
astroastro>= 5.0.0-alpha.0 < 5.0.85.0.8
withastroastro< 4.16.184.16.18
withastroastro

Detection & IOCsextracted from sources · hover to see the quote

path/pages/index.astro.mjs.map
pathdist/client/pages/index.astro.mjs.map
yara
all of them: body contains '"version":' AND '"sources":' AND '"sourcesContent":' AND '.astro'
  • Probe unauthenticated HTTP GET requests to predictable sourcemap paths under the public client folder, specifically matching paths ending in `.astro.mjs.map`
  • A successful exploit response body will contain all four strings: `"version":`, `"sources":`, `"sourcesContent":`, and `.astro`, with HTTP 200 status — indicating a leaked server-side sourcemap
  • Focus detection on Astro servers with sourcemaps enabled (directly or via integrations such as Sentry); affected versions are v5.0.3–v5.0.7 (server-output) and v4.16.17 or older / v5.0.8 or older (static-output)
  • Use Shodan query `http.html:"astro"` to identify candidate Astro-powered hosts for targeted probing
  • The publicly accessible folder is `dist/client` (config.build.client); monitor or block HTTP access to any `.map` files served from this directory
  • ·Vulnerability only triggers when sourcemaps are explicitly enabled in the Astro project, either directly in config or via a third-party integration (e.g., Sentry); default Astro builds without sourcemaps are NOT affected
  • ·Non-index page sourcemaps (non-`src/pages/index.astro`) may have hashed filenames, making their paths non-predictable and harder to enumerate without additional information
  • ·Secrets and environment variables are only exposed if they appear verbatim in source code; the primary risk is source code disclosure enabling secondary vulnerability discovery

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.07.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.