Skip to main content

Astro CVE-2024-56140

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2024-12-18 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 18, 2024 - 21:15 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on astro (3 direct, 1 indirect)

Ecosystem-wide dependent count for version 4.16.17.

DescriptionNVD

Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in Content-Type. Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the Content-Type header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in Content-Type. Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the Content-Type header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Astro. Version information: version 4.16.17.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

More in Astro

View all
CVE-2018-7180 CRITICAL POC
9.8 Feb 17

SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla!. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2024-56159 HIGH POC
7.8 Dec 19

Astro is a web framework for content-driven websites. Rated high severity (CVSS 7.8), this vulnerability is remotely exp

CVE-2025-64764 HIGH POC
7.1 Nov 19

Astro is a web framework. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication

CVE-2025-55303 MEDIUM POC
6.9 Aug 19

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 6.9), this vulnerability is remotely e

CVE-2025-64525 MEDIUM POC
6.5 Nov 13

Astro is a web framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticatio

CVE-2025-54793 MEDIUM POC
5.5 Aug 08

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 5.5), this vulnerability is remotely e

CVE-2026-41248 CRITICAL
9.1 Apr 24

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c

CVE-2026-59731 HIGH
8.2 Jul 08

Authorization bypass in the Astro web framework version 6.4.7 lets remote unauthenticated attackers reach protected rout

CVE-2023-50249 HIGH
7.5 Dec 20

Sentry-Javascript is official Sentry SDKs for JavaScript. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2026-33768 MEDIUM
6.5 Mar 24

The @astrojs/vercel serverless adapter in Astro versions prior to 10.0.2 contains an unauthenticated path traversal vuln

CVE-2026-29772 MEDIUM
5.9 Mar 24

Astro web framework versions prior to 10.0.0 contain an unbounded JSON parsing vulnerability in the Server Islands POST

CVE-2024-47885 MEDIUM
5.4 Oct 14

The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to ver

Share

CVE-2024-56140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy