Withastro Astro vulnerabilities
24 known vulnerabilities affecting withastro/astro.
Total CVEs
24
CISA KEV
0
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL1HIGH5MEDIUM17LOW1
Vulnerabilities
Page 1 of 2
CVE-2025-55303P1MEDIUMCVSS 6.1ExploitedPoCv>= 5.0.0-alpha.0, < 5.13.2fixed in 4.16.182025-08-19
CVE-2025-55303 [MEDIUM] CWE-79 CVE-2025-55303: Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of
nvd
CVE-2024-56159P1MEDIUMCVSS 5.3ExploitedPoCv>= 5.0.0, < 5.0.8fixed in 4.16.182024-12-19
CVE-2024-56159 [MEDIUM] CWE-219 CVE-2024-56159: Astro is a web framework for content-driven websites. A bug in the build process allows any unauthen
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. Any outside party can read them with an una
nvd
CVE-2025-64764P2MEDIUMCVSS 5.4ExploitedPoCfixed in 5.15.82025-11-19
CVE-2025-64764 [MEDIUM] CWE-80 CVE-2025-64764: Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.
nvd
CVE-2026-25545P2HIGHCVSS 8.6PoCfixed in 9.5.42026-02-24
CVE-2026-25545 [HIGH] CWE-918 CVE-2026-25545: Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error wi
Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker's server, it will be fetched on `/500.html` and they can redirect this to any internal URL to read the response b
nvd
CVE-2026-33768P2CRITICALCVSS 9.1fixed in 10.0.22026-03-24
CVE-2026-33768 [CRITICAL] CWE-441 CVE-2026-33768: Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads t
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirely. The
nvd
CVE-2025-54793P3MEDIUMCVSS 6.1PoCfixed in 9.4.12025-08-08
CVE-2025-54793 [MEDIUM] CWE-601 CVE-2025-54793: Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an
Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. Thi
nvd
CVE-2026-27829P3HIGHCVSS 7.2v>= 9.0.0, < 9.5.42026-02-26
CVE-2026-27829 [HIGH] CWE-918 CVE-2026-27829: Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows by
Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote imag
nvd
CVE-2026-27729P3HIGHCVSS 7.5v>= 9.0.0, < 9.5.42026-02-24
CVE-2026-27729 [HIGH] CWE-770 CVE-2026-27729: Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default requ
Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments. On-demand rendered sites built with Astro can define server actions, which autom
nvd
CVE-2026-54299P3HIGHCVSS 7.5fixed in 6.4.62026-06-22
CVE-2026-54299 [HIGH] CWE-20 CVE-2026-54299: Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500
Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated agains
nvd
CVE-2026-29772P3HIGHCVSS 7.5fixed in 10.0.02026-03-24
CVE-2026-29772 [HIGH] CWE-770 CVE-2026-29772: Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and p
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes
nvd
CVE-2025-61925P3MEDIUMCVSS 6.5v>= 2.16.0, < 5.15.52025-10-10
CVE-2025-61925 [MEDIUM] CWE-470 CVE-2025-61925: Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an
nvd
CVE-2024-56140P4MEDIUMCVSS 6.5fixed in 4.16.172024-12-18
CVE-2024-56140 [MEDIUM] CWE-352 CVE-2024-56140: Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-pro
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-del
nvd
CVE-2026-33769P4MEDIUMCVSS 5.3v>= 2.10.10, < 5.18.12026-03-24
CVE-2026-33769 [MEDIUM] CWE-20 CVE-2026-33769: Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still ma
nvd
CVE-2025-64765P4MEDIUMCVSS 5.3fixed in 5.15.82025-11-19
CVE-2025-64765 [MEDIUM] CWE-22 CVE-2025-64765: Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes re
Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the sa
nvd
CVE-2026-41067P4MEDIUMCVSS 6.1fixed in 6.1.62026-04-24
CVE-2026-41067 [MEDIUM] CWE-79 CVE-2026-41067: Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rende
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypas
nvd
CVE-2026-54298P4MEDIUMCVSS 6.1fixed in 6.4.62026-06-22
CVE-2026-54298 [MEDIUM] CWE-79 CVE-2026-54298: Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rende
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an u
nvd
CVE-2026-45028P4MEDIUMCVSS 6.1fixed in 6.1.102026-05-13
CVE-2026-45028 [MEDIUM] CWE-323 CVE-2026-45028: Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the conf
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) val
nvd
CVE-2026-54300P4MEDIUMCVSS 5.3fixed in 7.0.132026-06-22
CVE-2026-54300 [MEDIUM] CWE-918 CVE-2026-54300: @astrojs/netlify is an adapter that allows Astro to deploy your hybrid or server rendered site to Ne
@astrojs/netlify is an adapter that allows Astro to deploy your hybrid or server rendered site to Netlify. Prior to 7.0.13, @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remote_images regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as *.example.com is con
nvd
CVE-2025-65019P4MEDIUMCVSS 6.1fixed in 5.15.92025-11-19
CVE-2025-65019 [MEDIUM] CWE-79 CVE-2025-65019: Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/c
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through mal
nvd
CVE-2025-64745P4MEDIUMCVSS 6.1v>= 5.2.0, < 5.15.62025-11-13
CVE-2025-64745 [MEDIUM] CWE-79 CVE-2025-64745: Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-S
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malic
nvd
1 / 2Next →