Skip to main content

Astro EUVDEUVD-2026-38337

| CVE-2026-54299 HIGH
Improper Input Validation (CWE-20)
2026-06-16 https://github.com/withastro/astro GHSA-2pvr-wf23-7pc7
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Network-reachable via spoofed Host header with no auth or UI; AC:H reflects the non-default prerendered-error-page + custom-adapter prerequisite; scope change and C:H/I:L for reflected cross-origin content.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 15:22 vuln.today
Analysis Generated
Jun 16, 2026 - 15:22 vuln.today

DescriptionNVD

Summary

Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response.

Who is affected

This affects SSR deployments that:

  1. Have a prerendered 404 or 500 page
  2. Use createRequestFromNodeRequest from astro/app/node with app.render() without overriding prerenderedErrorPageFetch - this includes custom servers built on the public API and third-party adapters

Not affected:

  • @astrojs/node >= 9.5.4 (reads error pages from disk)
  • @astrojs/cloudflare (uses the ASSETS binding)
  • The dev server (renders error pages in-process)

How it works

createRequestFromNodeRequest builds request.url from the raw Host / :authority header. The allowedDomains option is accepted but only gates X-Forwarded-For - it does not constrain the URL origin. (The public createRequest does fall back to localhost for unvalidated hosts; this internal builder did not.)

When app.render() encounters a 404 or 500 with a prerendered error route, default-handler.ts constructs the error page URL using the origin from request.url and fetches it via prerenderedErrorPageFetch, which defaults to global fetch. The response body is served to the client.

An attacker sends a request with Host: attacker-host:port, triggers an error (e.g., requesting a nonexistent path for a 404), and receives the response from the attacker-controlled host reflected back.

Remediation

The error page fetch origin is now validated against allowedDomains before use. When the host is validated, the original origin is preserved. Otherwise, it falls back to localhost. The fetch is also wrapped in a try/catch so that connection failures degrade gracefully to a plain error response.

Credit

5ud0 / Tarmo Technologies

AnalysisAI

Server-side request forgery in Astro SSR deployments (npm package astro < 6.4.6) allows remote unauthenticated attackers to coerce the runtime into fetching attacker-controlled URLs by spoofing the HTTP Host header when a prerendered /404 or /500 page is configured. The attacker-controlled response body is reflected back to the victim, enabling information disclosure from internal services reachable by the application. No public exploit identified at time of analysis; the issue was responsibly disclosed by Tarmo Technologies via GitHub Security Advisory GHSA-2pvr-wf23-7pc7.

Technical ContextAI

Astro is a JavaScript web framework supporting server-side rendering (SSR). The vulnerability resides in the internal helper createRequestFromNodeRequest in astro/app/node, which constructs request.url directly from the incoming Host (HTTP/1.1) or :authority (HTTP/2) header without validating it against the allowedDomains configuration - that option only filters X-Forwarded-For. When app.render() hits a route configured with export const prerender = true for /404 or /500, default-handler.ts builds the error-page URL from this tainted origin and invokes prerenderedErrorPageFetch (defaulting to global fetch). This is a classic CWE-20 (Improper Input Validation) flaw that manifests as a server-side request forgery primitive. The affected CPE is pkg:npm/astro; the public createRequest helper already mitigated this by falling back to localhost, but the internal builder did not.

RemediationAI

Vendor-released patch: astro 6.4.6 - upgrade the astro npm package to >= 6.4.6, which validates the error-page fetch origin against allowedDomains, preserves the original origin only when validated (otherwise falling back to localhost), and wraps the fetch in try/catch so connection failures degrade to a plain error response. If immediate upgrade is not possible, compensating controls include: explicitly overriding prerenderedErrorPageFetch in your custom server/adapter to ignore request.url and target a trusted internal origin (trade-off: requires code change in every adapter); switching to @astrojs/node >= 9.5.4 which serves error pages from disk; removing export const prerender = true from /404 and /500 routes so error pages render in-process (trade-off: loses static prerendering benefits for error pages); or placing a reverse proxy in front that strips or normalizes the Host header to a known good value before it reaches the Node app (trade-off: must be enforced for HTTP/1.1 Host and HTTP/2 :authority). Reference the advisory at https://github.com/withastro/astro/security/advisories/GHSA-2pvr-wf23-7pc7.

Share

EUVD-2026-38337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy