Skip to main content

Astro CVE-2024-56159

HIGH
Storage of File with Sensitive Data Under Web Root (CWE-219)
2024-12-19 security-advisories@github.com
7.8
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Dec 19, 2024 - 19:15 cve.org
HIGH 7.8

DescriptionCVE.org

Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in src/pages) are predictably named. For example. the sourcemap file for src/pages/index.astro gets named dist/client/pages/index.astro.mjs.map. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the dist/client (referred to as config.build.client in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains .map files corresponding to the code that runs on the server. All server-output projects on Astro 5 versions v5.0.3 through v5.0.7, that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in astro@5.0.8. Additionally, all static-output projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.8 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in astro@5.0.9, and backported to Astro v4 in astro@4.16.18. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for server-output projects was released in astro@5.0.8, and the fix for static-output projects was released in astro@5.0.9 and backported to Astro v4 in astro@4.16.18. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.

AnalysisAI

Astro is a web framework for content-driven websites. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-219. Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in src/pages) are predictably named. For example. the sourcemap file for src/pages/index.astro gets named dist/client/pages/index.astro.mjs.map. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the dist/client (referred to as config.build.client in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains .map files corresponding to the code that runs on the server. All server-output projects on Astro 5 versions v5.0.3 through v5.0.7, that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in astro@5.0.8. Additionally, all static-output projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.8 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in astro@5.0.9, and backported to Astro v4 in astro@4.16.18. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for server-output projects was released in astro@5.0.8, and the fix for static-output projects was released in astro@5.0.9 and backported to Astro v4 in astro@4.16.18. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps. Affected products include: Astro.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Astro

View all
CVE-2018-7180 CRITICAL POC
9.8 Feb 17

SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla!. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2025-64764 HIGH POC
7.1 Nov 19

Astro is a web framework. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication

CVE-2025-55303 MEDIUM POC
6.9 Aug 19

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 6.9), this vulnerability is remotely e

CVE-2025-64525 MEDIUM POC
6.5 Nov 13

Astro is a web framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticatio

CVE-2025-54793 MEDIUM POC
5.5 Aug 08

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 5.5), this vulnerability is remotely e

CVE-2026-41248 CRITICAL
9.1 Apr 24

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c

CVE-2026-59731 HIGH
8.2 Jul 08

Authorization bypass in the Astro web framework version 6.4.7 lets remote unauthenticated attackers reach protected rout

CVE-2023-50249 HIGH
7.5 Dec 20

Sentry-Javascript is official Sentry SDKs for JavaScript. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2026-33768 MEDIUM
6.5 Mar 24

The @astrojs/vercel serverless adapter in Astro versions prior to 10.0.2 contains an unauthenticated path traversal vuln

CVE-2024-56140 MEDIUM
6.5 Dec 18

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2026-29772 MEDIUM
5.9 Mar 24

Astro web framework versions prior to 10.0.0 contain an unbounded JSON parsing vulnerability in the Server Islands POST

CVE-2024-47885 MEDIUM
5.4 Oct 14

The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to ver

Share

CVE-2024-56159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy