astro
npm10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting astropage 1 of 1
- CVE-2024-47885MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.16.12024-10-14
The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored*…
- CVE-2024-56140MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.16.172024-12-18
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro mi…
- CVE-2024-56159MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.16.182024-12-19
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap file…
- CVE-2025-55303MEDIUMCVSS 6.1EG 6.1✓ Fixed in 5.13.22025-08-19
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be s…
- CVE-2025-59837HIGHCVSS 7.2EG 7.2✓ Fixed in 5.13.102025-10-28
Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary UR…
- CVE-2025-64525MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.15.52025-11-13
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This ha…
- CVE-2025-64757LOWCVSS 3.5EG 3.5✓ Fixed in 5.14.32025-11-19
Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affe…
- CVE-2025-66202MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.15.82025-12-09
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected route…
- CVE-2026-41067MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.1.62026-04-24
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive…
- CVE-2026-45028MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.1.102026-05-13
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or paramet…
Check whether astro is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for astro CVEs against the assets you own.
Start Free Scan →