astro

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting astropage 1 of 1

CVE-2024-47885MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.16.1
2024-10-14
The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored*…
CVE-2024-56140MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.16.17
2024-12-18
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro mi…
CVE-2024-56159MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.16.18
2024-12-19
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap file…
CVE-2026-41067MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.1.6
2026-04-24
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive…
CVE-2026-45028MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.1.10
2026-05-13
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or paramet…

Check whether astro is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for astro CVEs against the assets you own.

Start Free Scan →