astro
npm19 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting astropage 1 of 1
- CVE-2024-47885MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.16.12024-10-14
The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored*…
- CVE-2024-56140MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.16.172024-12-18
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro mi…
- CVE-2024-56159MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.16.182024-12-19
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap file…
- CVE-2025-54793MEDIUMCVSS 6.1EG 6.1✓ Fixed in 5.12.82025-08-08
Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to red…
- CVE-2025-55303MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.16.192025-08-19
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be s…
- CVE-2025-59837HIGHCVSS 7.2EG 7.2✓ Fixed in 5.13.102025-10-28
Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary UR…
- CVE-2025-61925MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.14.32025-10-10
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, …
- CVE-2025-64525MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.15.52025-11-13
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This ha…
- CVE-2025-64745MEDIUMCVSS 6.1EG 2.7✓ Fixed in 5.15.62025-11-13
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. A…
- CVE-2025-64757LOWCVSS 3.5EG 3.5✓ Fixed in 5.14.32025-11-19
Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affe…
- CVE-2025-64764MEDIUMCVSS 5.4EG 7.1✓ Fixed in 5.15.82025-11-19
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has b…
- CVE-2025-64765MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.15.82025-11-19
Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies dec…
- CVE-2025-65019MEDIUMCVSS 6.1EG 5.4✓ Fixed in 5.15.92025-11-19
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() func…
- CVE-2025-66202MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.15.82025-12-09
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected route…
- CVE-2026-41067MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.1.62026-04-24
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive…
- CVE-2026-45028MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.1.102026-05-13
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or paramet…
- CVE-2026-50146MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.3.32026-06-16
Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attrib…
- CVE-2026-54298MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.4.62026-06-16
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without e…
- CVE-2026-54299HIGHCVSS 7.5EG 7.5✓ Fixed in 6.4.62026-06-16
Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from re…
Check whether astro is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for astro CVEs against the assets you own.
Start Free Scan →