Astro
CVE-2024-56140
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 4 npm packages depend on astro (3 direct, 1 indirect)
Ecosystem-wide dependent count for version 4.16.17.
DescriptionNVD
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in Content-Type. Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the Content-Type header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
Astro is a web framework for content-driven websites. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in Content-Type. Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the Content-Type header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Astro. Version information: version 4.16.17.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla!. Rated critical severity (CVSS 9.8), this vulnerabi
Astro is a web framework for content-driven websites. Rated high severity (CVSS 7.8), this vulnerability is remotely exp
Astro is a web framework. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication
Astro is a web framework for content-driven websites. Rated medium severity (CVSS 6.9), this vulnerability is remotely e
Astro is a web framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticatio
Astro is a web framework for content-driven websites. Rated medium severity (CVSS 5.5), this vulnerability is remotely e
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c
Authorization bypass in the Astro web framework version 6.4.7 lets remote unauthenticated attackers reach protected rout
Sentry-Javascript is official Sentry SDKs for JavaScript. Rated high severity (CVSS 7.5), this vulnerability is remotely
The @astrojs/vercel serverless adapter in Astro versions prior to 10.0.2 contains an unauthenticated path traversal vuln
Astro web framework versions prior to 10.0.0 contain an unbounded JSON parsing vulnerability in the Server Islands POST
The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to ver
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today