[GHSA-qq67-mvv5-fw3g] Astro has Full-Read SSRF in error rendering via Host: header injection

[kytta]

Updates

• Affected products
• References

Comments
Apparently the bug was fixed in v9.5.3, but the fix is not included in any changelog entry

[github]

Hi there @matthewp! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

This PR updates a GitHub Security Advisory (GHSA-qq67-mvv5-fw3g) for an Astro SSRF vulnerability. The changes correct the version number where the vulnerability was fixed, updating it from 9.5.3 to 9.5.4 as noted in the PR description that the bug was actually fixed in v9.5.3, not v9.5.4. Additionally, a commit reference is added to provide more context about the fix.

Changes:

• Updated the "fixed" version from 9.5.4 to 9.5.3 in the affected package ranges
• Added a new commit reference (c13b536197a70d8d4fd0037c5bd3aaa2be0598b9) to the references section
• Incremented the modified timestamp by one second to reflect the update

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[helixplant]

Hi,
Based on the repository advisory (GHSA-qq67-mvv5-fw3g) this vulnerability was present in version 9.5.3 and fixed in version 9.5.4. Could you share where you’re seeing that it was fixed in 9.5.3, or provide any supporting details such as a fix commit?

[kytta]

Hi,

based on the repository advisory (GHSA-qq67-mvv5-fw3g) this vulnerability was present in version 9.5.3 and fixed in version 9.5.4.

Yes, this is why I have created this PR to change the mentioned advisory :)

Could you share where you’re seeing that it was fixed in 9.5.3, or provide any supporting details such as a fix commit?

I made this assumption based on this commit: withastro/astro@c13b536, as mentioned in the updated advisory. This commit adds the Host header validation, which shuold fix the described vuln. This commit was already present in version 9.5.3

I have tried the POC from the advisory and can confirm that:

1. With Astro < 5.17.3 and adapter < 9.5.2, the PoC works
2. With Astro < 5.17.3 and adapter >= 9.5.3, the PoC no longer works; the app works as expected
3. With Astro >= 5.17.3 and adapter < 9.5.2, the app crashes
4. With Astro >= 5.17.3 and adapter >= 9.5.3, the PoC no longer works; the app works as expected

So, the mitigation is achieved with 9.5.3 already, and as such that version should be marked as earliest fix

[helixplant]

Thank you for the additional information! I see where the confusion lies, I will look further into this and get back to you soon!