Astrojs Node
Monthly
Astro web framework versions 9.0.0 through 9.5.3 fail to validate remote image domains when the inferSize option is enabled, allowing attackers to trigger server-side requests to arbitrary hosts and bypass configured image.domains and image.remotePatterns restrictions. An attacker controlling image URLs through CMS content or user input can exploit this to perform SSRF attacks or access unauthorized resources. Public exploit code exists for this vulnerability.
Memory exhaustion denial of service in Astro 9.0.0 through 9.5.3 allows remote attackers to crash server processes by sending oversized POST requests to server action endpoints without size restrictions. The framework buffers entire request bodies into memory with no limits, enabling a single large request to exhaust heap memory on affected deployments. Public exploit code exists for this vulnerability, which is particularly impactful in containerized environments where repeated crashes trigger persistent restart loops.
Astro web framework versions prior to 9.5.4 contain a server-side request forgery vulnerability in error page handling that allows unauthenticated remote attackers to bypass Host header validation and redirect requests to internal services or cloud metadata endpoints. By manipulating the Host header when accessing prerendered error pages, attackers can read response bodies from internal URLs, cloud metadata services, or localhost resources. Public exploit code exists for this vulnerability, which affects applications using custom error pages without proper Host validation.
Astro web framework versions 9.0.0 through 9.5.3 fail to validate remote image domains when the inferSize option is enabled, allowing attackers to trigger server-side requests to arbitrary hosts and bypass configured image.domains and image.remotePatterns restrictions. An attacker controlling image URLs through CMS content or user input can exploit this to perform SSRF attacks or access unauthorized resources. Public exploit code exists for this vulnerability.
Memory exhaustion denial of service in Astro 9.0.0 through 9.5.3 allows remote attackers to crash server processes by sending oversized POST requests to server action endpoints without size restrictions. The framework buffers entire request bodies into memory with no limits, enabling a single large request to exhaust heap memory on affected deployments. Public exploit code exists for this vulnerability, which is particularly impactful in containerized environments where repeated crashes trigger persistent restart loops.
Astro web framework versions prior to 9.5.4 contain a server-side request forgery vulnerability in error page handling that allows unauthenticated remote attackers to bypass Host header validation and redirect requests to internal services or cloud metadata endpoints. By manipulating the Host header when accessing prerendered error pages, attackers can read response bodies from internal URLs, cloud metadata services, or localhost resources. Public exploit code exists for this vulnerability, which affects applications using custom error pages without proper Host validation.