You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. In our PoC, both the allowed path and a bypass path returned 200 with the same SVG payload, confirming the bypass.
Impact
Attackers can fetch unintended remote resources on an allowlisted host via the image endpoint, expanding SSRF/data exposure beyond the configured path prefix.
isRemoteAllowed() evaluates remotePatterns for a requested URL.
matchPathname() handles pathname: "/img/*" using .replace() on the URL path.
A path such as /evil/img/secret incorrectly matches because /img/ is removed even when it's not at the start.
The image endpoint fetches and returns the remote resource.
PoC
The PoC starts a local attacker server and configures remotePatterns to allow only /img/*. It then requests the image endpoint with two URLs: an allowed path and a bypass path with /img/ in the middle. Both requests returned the SVG payload, showing the path restriction was bypassed.
The defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript.
Details
The vulnerable function is defineScriptVars at packages/astro/src/runtime/server/render/util.ts:42-53:
exportfunctiondefineScriptVars(vars: Record<any,any>){letoutput='';for(const[key,value]ofObject.entries(vars)){output+=`const ${toIdent(key)} = ${JSON.stringify(value)?.replace(/<\/script>/g,// ← Case-sensitive, exact match only'\\x3C/script>',)};\n`;}returnmarkHTMLString(output);}
This function is called from renderElement at util.ts:172-174 when a <script> element has define:vars:
The regex /<\/script>/g fails to match three classes of closing script tags that HTML parsers accept per the HTML specification §13.2.6.4:
Case variations: </Script>, </SCRIPT>, </sCrIpT> — HTML tag names are case-insensitive but the regex has no i flag.
Whitespace before >: </script >, </script\t>, </script\n> — after the tag name, the HTML tokenizer enters the "before attribute name" state on ASCII whitespace.
Self-closing slash: </script/> — the tokenizer enters "self-closing start tag" state on /.
JSON.stringify() does not escape <, >, or / characters, so all these payloads pass through serialization unchanged.
Execution flow: User-controlled input (e.g., Astro.url.searchParams) → assigned to a variable → passed via define:vars on a <script> tag → renderElement → defineScriptVars → incomplete sanitization → injected into <script> block in HTML response → browser closes the script element early → attacker-controlled HTML parsed and executed.
PoC
Step 1: Create an SSR Astro page (src/pages/index.astro):
The browser's HTML parser matches </Script> case-insensitively, closing the script block. The <img onerror=alert(document.cookie)> is then parsed as HTML and the JavaScript in onerror executes.
An attacker can execute arbitrary JavaScript in the context of a victim's browser session on any SSR Astro application that passes request-derived data to define:vars on a <script> tag. This is a documented and expected usage pattern in Astro.
Exploitation enables:
Session hijacking via cookie theft (document.cookie)
Credential theft by injecting fake login forms or keyloggers
Defacement of the rendered page
Redirection to attacker-controlled domains
The vulnerability affects all Astro versions that support define:vars and is exploitable in any SSR deployment where user input reaches a define:vars script variable.
Recommended Fix
Replace the case-sensitive exact-match regex with a comprehensive escape that covers all HTML parser edge cases. The simplest correct fix is to escape all < characters in the JSON output:
This is the standard approach used by frameworks like Next.js and Rails. Replacing every < with \u003c is safe inside JSON string contexts (JavaScript treats \u003c as < at runtime) and eliminates all possible </script> variants including case variations, whitespace, and self-closing forms.
Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa.
Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications that meet all of the following conditions:
The application uses server islands
Two different server island components share the same key name for a prop and a slot
An attacker has full control over the value of the overlapping prop (requires a dynamically rendered page)
These conditions are very unlikely to occur in real-world production applications.
Patches
This has been patched in astro@6.1.10.
The fix binds each encrypted parameter to its target component and purpose using AES-GCM authenticated additional data (AAD). Each ciphertext now includes context like props:IslandName or slots:IslandName, so encrypted data for one component cannot be replayed against a different component, and encrypted props cannot be reused as slots.
When a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR.
This is similar to GHSA-wrwg-2hg8-v723 but exploits a different injection point.
Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response.
Who is affected
This affects SSR deployments that:
Have a prerendered 404 or 500 page
Use createRequestFromNodeRequest from astro/app/node with app.render()without overriding prerenderedErrorPageFetch — this includes custom servers built on the public API and third-party adapters
Not affected:
@astrojs/node >= 9.5.4 (reads error pages from disk)
@astrojs/cloudflare (uses the ASSETS binding)
The dev server (renders error pages in-process)
How it works
createRequestFromNodeRequest builds request.url from the raw Host / :authority header. The allowedDomains option is accepted but only gates X-Forwarded-For — it does not constrain the URL origin. (The public createRequest does fall back to localhost for unvalidated hosts; this internal builder did not.)
When app.render() encounters a 404 or 500 with a prerendered error route, default-handler.ts constructs the error page URL using the origin from request.url and fetches it via prerenderedErrorPageFetch, which defaults to global fetch. The response body is served to the client.
An attacker sends a request with Host: attacker-host:port, triggers an error (e.g., requesting a nonexistent path for a 404), and receives the response from the attacker-controlled host reflected back.
Remediation
The error page fetch origin is now validated against allowedDomains before use. When the host is validated, the original origin is preserved. Otherwise, it falls back to localhost. The fetch is also wrapped in a try/catch so that connection failures degrade gracefully to a plain error response.
The spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements.
Details
The vulnerable function is addAttribute at packages/astro/src/runtime/server/render/util.ts:81-141:
exportfunctionaddAttribute(value: any,key: string,shouldEscape=true,tagName=''){if(value==null){return'';}returnmarkHTMLString(` ${key}="${toAttributeString(value,shouldEscape)}"`);// key interpolated not escaped}
This function is called from spreadAttributes at packages/astro/src/runtime/server/index.ts:91-92:
The toAttributeString function escapes the attribute value, but the attribute name key is never validated or escaped. An attacker can craft a JSON object with a key containing " characters to break out of the attribute context and inject event handlers.
Execution flow: User controlled object keys (from API, CMS, URL params) are spread onto element via {...props}. The compiler generates spreadAttributes(props) which iterates with Object.entries() and calls addAttribute(value, key). The key is interpolated as ` ${key}="${escapedValue}"`. A malicious key breaks attribute context, resulting in XSS.
Enable SSR in astro.config.mjs (for URL based demo):
exportdefaultdefineConfig({output: 'server'});
Note: SSR is not required for the vulnerability to exist. In static builds (default), the attack vector is compromised data sources at build time (API, CMS, database). SSR simply makes the PoC easier to demonstrate via URL parameters.
The key x" onmousemove="alert(document.cookie)" y breaks out of the attribute context. Moving the mouse over the div executes the JavaScript.
Impact
An attacker can execute arbitrary JavaScript in the context of a victim's browser session on any Astro application that spreads object props from untrusted sources onto HTML elements. This is a common pattern when integrating with external APIs or CMS systems. Exploitation enables session hijacking via cookie theft, credential theft by injecting fake login forms or keyloggers, defacement of the rendered page, and redirection to attacker controlled domains.
The vulnerability affects all Astro versions that support spread syntax on HTML elements and is exploitable in SSR, SSG (if build time data is compromised), and hybrid deployments.
#16765b10e86e Thanks @fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.
#17026add3df1 Thanks @matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)
#17033ffda27b Thanks @matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.
#169854ecff32 Thanks @maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.
#16947e0703a6 Thanks @ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.
#16997dc45246 Thanks @matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites
#169261b39ae8 Thanks @narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.
#169242c0bc94 Thanks @astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.
#169582c1d50f Thanks @fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.
#16855c610cda Thanks @astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.
#16946606c37b Thanks @ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].
#1672016d49b6 Thanks @thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.
#1670317390a6 Thanks @henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).
#16855c610cda Thanks @astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.
#160160d85e1b Thanks @felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.
#1691179c6c46 Thanks @astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.
#16899239c469 Thanks @matthewp! - Fixes a false "does not call the middleware() handler" warning when using astro() in a custom src/app.ts and the first request is a redirect route.
#16889b94bcfd Thanks @Princesseuh! - Fixes a plugins is not iterable crash when using a pre-6.0 @astrojs/mdx alongside integrations (e.g. Starlight) that set markdown.remarkPlugins, markdown.rehypePlugins, or markdown.remarkRehype.
#16878b9f6bb9 Thanks @fkatsuhiro! - Fixes an issue where on-demand (SSR) dynamic routes would return 404 when a prerendered dynamic route with the same URL pattern was sorted first alphabetically. In production builds with @astrojs/node adapter, if [a_prebuild].astro (prerender=true) came before [b_ssr].astro alphabetically, requests to URLs not in the prerendered route's static paths would 404 instead of falling through to the SSR route. The fix adds fallthrough logic so that when a prerendered dynamic route matches but can't serve the request, Astro tries subsequent matching routes.
#16883eeb064c Thanks @Princesseuh! - Restores the astro/jsx/rehype.js entry point so that older versions of @astrojs/mdx continue to work when used with Astro 6.x. This entry point will be removed in Astro 7.0.
Adapters can now set preserveBuildServerDir: true in their adapter features to keep the dist/server/ directory structure for static builds, mirroring the existing preserveBuildClientDir option. This is useful for adapters that require a consistent dist/client/ and dist/server/ layout regardless of build output type.
#16848f732f3c Thanks @Princesseuh! - Adds a new markdown.processor configuration option, allowing you to choose an alternative Markdown processor.
Websites with many Markdown/MDX files tend to be slow to build because the unified ecosystem (e.g., remark, rehype) is slow to process. This feature introduces the ability to replace this part of the build pipeline with another processor.
The default processor is unified(). This means that existing configurations remain unchanged and your remark/rehype plugins continue to work.
In addition to this new configuration option, Astro provides a new alternative processor based on Rust: Sätteri. You can choose to use it now by installing @astrojs/markdown-satteri, importing the satteri() processor, and adapting your existing configuration:
This processor does not support the remark and rehype plugins. This means you may need to convert them to MDAST or HAST plugins to retain your current functionality.
The existing top-level markdown.remarkPlugins, markdown.rehypePlugins, markdown.remarkRehype, markdown.gfm, and markdown.smartypants options still work, but are now deprecated and will be removed in a future major update. The matching remarkPlugins, rehypePlugins, and remarkRehype options on the MDX integration are also deprecated for the same reason. To anticipate their removal, move them onto unified({...}) (or your preferred plugin processor) :
#164684cff3a1 Thanks @matthewp! - Skips the static preview server when an adapter provides its own previewEntrypoint, allowing the adapter to handle both static and dynamic routes
#16811e0e26db Thanks @matthewp! - Fixes X-Forwarded-Host and X-Forwarded-Proto headers being ignored when set in a custom src/app.ts fetch handler before creating FetchState
#164684cff3a1 Thanks @matthewp! - Fixes the static preview server to respect preserveBuildClientDir, serving files from build.client instead of outDir when the adapter requires it
#167701e2aa11 Thanks @matthewp! - Fixes a race condition where the Vite dep optimizer could lose React dependencies in dev mode when using Astro Actions
#164684cff3a1 Thanks @matthewp! - Exempts internal routes (e.g. server islands) from getStaticPaths() validation, fixing server island rendering on static sites
#164684cff3a1 Thanks @matthewp! - Fixes preview for static sites that contain non-prerendered routes. Previously, the preview command ignored SSR routes discovered during route scanning and always used the static preview server.
#16830f2bf3cb Thanks @matthewp! - Fixes 404s for dynamically imported JS chunks when using an adapter with assetQueryParams (e.g. Vercel skew protection)
#16831ace96ba Thanks @astrobot-houston! - Fixes a misleading GetStaticPathsRequired error when a redirect is configured from a dynamic route to a static (or less-dynamic) destination. For example, '/project/[slug]': '/' previously produced a confusing error pointing at index.astro. Astro now detects the parameter mismatch at config validation time and throws a clear InvalidRedirectDestination error naming the missing parameters.
#16702b7d1758 Thanks @matthewp! - Fixes scoped styles from .astro components being dropped when rendered inside MDX content (<Content /> from render(entry)) passed through a named slot using <Fragment slot="X">. The Fragment component now eagerly evaluates its slot contents to ensure propagating components register their styles before head content is flushed.
#168219c76b12 Thanks @astrobot-houston! - Fixes request body handling in the Node adapter when req.body is a Buffer, Uint8Array, or ArrayBuffer. Previously, binary body data was incorrectly JSON-stringified (producing {"type":"Buffer","data":[...]}) instead of being passed through directly. This affected libraries like serverless-http that set req.body to a Buffer.
#16785de96360 Thanks @astrobot-houston! - Fixes vite.build.minify, vite.build.sourcemap, and vite.build.rollupOptions.output (e.g. compact) being ignored for client-side builds. These top-level Vite build options are now properly forwarded to the client environment, with environment-specific overrides (vite.environments.client.build.*) taking priority when set.
#16819b5dd8f1 Thanks @astrobot-houston! - Fixes custom elements in MDX files bypassing the renderer pipeline. Custom elements (tags containing hyphens like <my-element>) in .mdx files are now routed through registered renderers for SSR, matching the behavior of .astro files. If no renderer claims the element, it falls back to rendering as raw HTML.
#16808765896c Thanks @ematipico! - Fixes dynamic routes returning 400 Bad Request when the URL contains a literal % character, such as paths built with encodeURIComponent('%?.pdf')
#1680490d2aca Thanks @jp-knj! - Fixes a v6 regression where astro:i18n could not be imported from client <script> blocks.
#167748f77583 Thanks @astrobot-houston! - Fixes markdown images with empty alt text () in content collections dropping the alt attribute entirely. The alt="" attribute is now correctly preserved in the rendered HTML output, which is important for accessibility (indicating decorative images).
#167763d10b5e Thanks @matthewp! - Fixes HMR serving stale content when components are passed as props via getStaticPaths()
#167847453860 Thanks @ematipico! - Improved the printing of the build time if it goes over the 60 seconds.
#166653dbbcee Thanks @Princesseuh! - Fixes remote SVG sources erroring with dangerouslyProcessSVG after the v6.3 SVG-processing gate. The default Sharp service now resolves the output format from the source up-front when it can (URL extension, data: MIME, ESM metadata), and from the actual buffer at request time when it can't, so SVG sources pass through untouched without needing to set image.dangerouslyProcessSVG: true or an explicit format="svg".
The error message has also been updated to point at format="svg" as the simpler workaround when an SVG source is encountered without dangerouslyProcessSVG enabled.
#167771754b91 Thanks @matthewp! - Fixes HMR serving stale content for dynamically imported components through barrel files
#16730068d924 Thanks @harshagarwalnyu! - Fixes an issue where the file() content loader did not generate a valid JSON Schema for collections whose JSON or YAML data is a top-level array instead of an object.
#167575d661cd Thanks @astrobot-houston! - Fixes dev server serving stale content when SSR-only modules change (e.g. .astro files outside the project root in a monorepo, or dynamically imported components).
Previously, the astro:hmr-reload plugin returned an empty array after detecting SSR-only module changes, which prevented Vite's updateModules from propagating the invalidation to the SSR module runner. The runner's evaluated module cache stayed stale, so subsequent requests continued returning old content.
Now the plugin returns the SSR-only modules so Vite can process them through updateModules, which properly invalidates the module runner's cache and ensures fresh content on the next request.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/astro@6.4.7. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
Bot
force-pushed
the
renovate/npm-astro-vulnerability
branch
from
This PR contains the following updates:
^5.13.2→^6.0.0Astro: Remote allowlist bypass via unanchored matchPathname wildcard
CVE-2026-33769 / GHSA-g735-7g2w-hh3f
More information
Details
Summary
This issue concerns Astro's
remotePatternspath enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for/*wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. In our PoC, both the allowed path and a bypass path returned 200 with the same SVG payload, confirming the bypass.Impact
Attackers can fetch unintended remote resources on an allowlisted host via the image endpoint, expanding SSRF/data exposure beyond the configured path prefix.
Description
Taint flow: request ->
transform.src->isRemoteAllowed()->matchPattern()->matchPathname()User-controlled
hrefis parsed intotransform.srcand validated viaisRemoteAllowed():Source: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/astro/src/assets/endpoint/generic.ts#L43-L56
isRemoteAllowed()checks eachremotePatternviamatchPattern():Source: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/internal-helpers/src/remote.ts#L15-L21
The vulnerable logic in
matchPathname()usesreplace()without anchoring the prefix for/*patterns:Source: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/internal-helpers/src/remote.ts#L85-L99
Vulnerable code flow:
isRemoteAllowed()evaluatesremotePatternsfor a requested URL.matchPathname()handlespathname: "/img/*"using.replace()on the URL path./evil/img/secretincorrectly matches because/img/is removed even when it's not at the start.PoC
The PoC starts a local attacker server and configures remotePatterns to allow only
/img/*. It then requests the image endpoint with two URLs: an allowed path and a bypass path with/img/in the middle. Both requests returned the SVG payload, showing the path restriction was bypassed.Vulnerable config
Affected pages
This PoC targets the
/_imageendpoint directly; no additional pages are required.PoC Code
Attacker server
PoC Steps
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:PReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Astro: XSS in define:vars via incomplete </script> tag sanitization
CVE-2026-41067 / GHSA-j687-52p2-xcff
More information
Details
Summary
The
defineScriptVarsfunction in Astro's server-side rendering pipeline uses a case-sensitive regex/<\/script>/gto sanitize values injected into inline<script>tags via thedefine:varsdirective. HTML parsers close<script>elements case-insensitively and also accept whitespace or/before the closing>, allowing an attacker to bypass the sanitization with payloads like</Script>,</script >, or</script/>and inject arbitrary HTML/JavaScript.Details
The vulnerable function is
defineScriptVarsatpackages/astro/src/runtime/server/render/util.ts:42-53:This function is called from
renderElementatutil.ts:172-174when a<script>element hasdefine:vars:The regex
/<\/script>/gfails to match three classes of closing script tags that HTML parsers accept per the HTML specification §13.2.6.4:</Script>,</SCRIPT>,</sCrIpT>— HTML tag names are case-insensitive but the regex has noiflag.>:</script >,</script\t>,</script\n>— after the tag name, the HTML tokenizer enters the "before attribute name" state on ASCII whitespace.</script/>— the tokenizer enters "self-closing start tag" state on/.JSON.stringify()does not escape<,>, or/characters, so all these payloads pass through serialization unchanged.Execution flow: User-controlled input (e.g.,
Astro.url.searchParams) → assigned to a variable → passed viadefine:varson a<script>tag →renderElement→defineScriptVars→ incomplete sanitization → injected into<script>block in HTML response → browser closes the script element early → attacker-controlled HTML parsed and executed.PoC
Step 1: Create an SSR Astro page (
src/pages/index.astro):Step 2: Ensure SSR is enabled in
astro.config.mjs:Step 3: Start the dev server and visit:
Step 4: View the HTML source. The output contains:
The browser's HTML parser matches
</Script>case-insensitively, closing the script block. The<img onerror=alert(document.cookie)>is then parsed as HTML and the JavaScript inonerrorexecutes.Alternative bypass payloads:
Impact
An attacker can execute arbitrary JavaScript in the context of a victim's browser session on any SSR Astro application that passes request-derived data to
define:varson a<script>tag. This is a documented and expected usage pattern in Astro.Exploitation enables:
document.cookie)The vulnerability affects all Astro versions that support
define:varsand is exploitable in any SSR deployment where user input reaches adefine:varsscript variable.Recommended Fix
Replace the case-sensitive exact-match regex with a comprehensive escape that covers all HTML parser edge cases. The simplest correct fix is to escape all
<characters in the JSON output:This is the standard approach used by frameworks like Next.js and Rails. Replacing every
<with\u003cis safe inside JSON string contexts (JavaScript treats\u003cas<at runtime) and eliminates all possible</script>variants including case variations, whitespace, and self-closing forms.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Astro: Server island encrypted parameters vulnerable to cross-component replay
CVE-2026-45028 / GHSA-xr5h-phrj-8vxv
More information
Details
Impact
Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (
p) value as another component's slots (s) value, or vice versa.Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications that meet all of the following conditions:
These conditions are very unlikely to occur in real-world production applications.
Patches
This has been patched in astro@6.1.10.
The fix binds each encrypted parameter to its target component and purpose using AES-GCM authenticated additional data (AAD). Each ciphertext now includes context like
props:IslandNameorslots:IslandName, so encrypted data for one component cannot be replayed against a different component, and encrypted props cannot be reused as slots.References
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:PReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Astro: Reflected XSS via unescaped slot name
CVE-2026-50146 / GHSA-8hv8-536x-4wqp
More information
Details
Summary
When a component uses a
client:*directive, Astro inserts named slot content into adata-astro-templateattribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR.This is similar to GHSA-wrwg-2hg8-v723 but exploits a different injection point.
Vulnerable Code
packages/astro/src/runtime/server/render/component.ts:371:376I found that key is interpolated directly into the attribute value without proper escaping.
Proof of Concept
For the PoC, I set up with a minimal repository with Astro 6.3.1, Node.js: v26.0.0.
astro.config.mjssrc/pages/index.astrosrc/components/Wrapper.jsxPayload:
Accessing this URL will trigger the popup.
http://localhost:4321/?tab=abc%22%3E%3C%2Ftemplate%3E%3C%2Fastro-island%3E%3Cimg+src%3Dx+onerror%3Dconfirm(document.domain)%3E%3C!--
This will render in html.
Fix
I suggest leveraging the existing escape function on the slot name.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Astro: Host header SSRF in prerendered error page fetch
CVE-2026-54299 / GHSA-2pvr-wf23-7pc7
More information
Details
Summary
Astro SSR apps with prerendered error pages (
/404or/500usingexport const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived fromrequest.url, which in turn gets its origin from the incomingHostheader. When theHostheader is not validated againstallowedDomains, an attacker can point the fetch at an arbitrary host and read the response.Who is affected
This affects SSR deployments that:
createRequestFromNodeRequestfromastro/app/nodewithapp.render()without overridingprerenderedErrorPageFetch— this includes custom servers built on the public API and third-party adaptersNot affected:
@astrojs/node>= 9.5.4 (reads error pages from disk)@astrojs/cloudflare(uses the ASSETS binding)How it works
createRequestFromNodeRequestbuildsrequest.urlfrom the rawHost/:authorityheader. TheallowedDomainsoption is accepted but only gatesX-Forwarded-For— it does not constrain the URL origin. (The publiccreateRequestdoes fall back tolocalhostfor unvalidated hosts; this internal builder did not.)When
app.render()encounters a 404 or 500 with a prerendered error route,default-handler.tsconstructs the error page URL using the origin fromrequest.urland fetches it viaprerenderedErrorPageFetch, which defaults to globalfetch. The response body is served to the client.An attacker sends a request with
Host: attacker-host:port, triggers an error (e.g., requesting a nonexistent path for a 404), and receives the response from the attacker-controlled host reflected back.Remediation
The error page fetch origin is now validated against
allowedDomainsbefore use. When the host is validated, the original origin is preserved. Otherwise, it falls back tolocalhost. The fetch is also wrapped in a try/catch so that connection failures degrade gracefully to a plain error response.Credit
5ud0 / Tarmo Technologies
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Astro: XSS via Unescaped Attribute Names in Spread Props
CVE-2026-54298 / GHSA-jrpj-wcv7-9fh9
More information
Details
Summary
The
spreadAttributesfunction in Astro's server-side rendering pipeline iterates over object keys and passes them directly toaddAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax{...props}on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers likeonmousemove,onclick, or break out of the attribute context entirely to inject new elements.Details
The vulnerable function is
addAttributeatpackages/astro/src/runtime/server/render/util.ts:81-141:This function is called from
spreadAttributesatpackages/astro/src/runtime/server/index.ts:91-92:The
toAttributeStringfunction escapes the attribute value, but the attribute namekeyis never validated or escaped. An attacker can craft a JSON object with a key containing " characters to break out of the attribute context and inject event handlers.Execution flow: User controlled object keys (from API, CMS, URL params) are spread onto element via
{...props}. The compiler generatesspreadAttributes(props)which iterates withObject.entries()and callsaddAttribute(value, key). The key is interpolated as` ${key}="${escapedValue}"`. A malicious key breaks attribute context, resulting in XSS.POC
Create an SSR Astro page (
src/pages/index.astro):Enable SSR in
astro.config.mjs(for URL based demo):Note: SSR is not required for the vulnerability to exist. In static builds (default), the attack vector is compromised data sources at build time (API, CMS, database). SSR simply makes the PoC easier to demonstrate via URL parameters.
Start the dev server and visit:
URL encoded:
View the HTML source. The output contains:
The key
x" onmousemove="alert(document.cookie)" ybreaks out of the attribute context. Moving the mouse over the div executes the JavaScript.Impact
An attacker can execute arbitrary JavaScript in the context of a victim's browser session on any Astro application that spreads object props from untrusted sources onto HTML elements. This is a common pattern when integrating with external APIs or CMS systems. Exploitation enables session hijacking via cookie theft, credential theft by injecting fake login forms or keyloggers, defacement of the rendered page, and redirection to attacker controlled domains.
The vulnerability affects all Astro versions that support spread syntax on HTML elements and is exploitable in SSR, SSG (if build time data is compromised), and hybrid deployments.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
withastro/astro (astro)
v6.4.6Compare Source
Patch Changes
#16765
b10e86eThanks @fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.#17026
add3df1Thanks @matthewp! - HardensaddAttributeto drop attribute names containing characters that are invalid per the HTML spec (",',>,/,=, whitespace)#17033
ffda27bThanks @matthewp! - Validates the request origin againstallowedDomainsbefore fetching prerendered error pages. WhenallowedDomainsis configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back tolocalhost.v6.4.5Compare Source
Patch Changes
#16985
4ecff32Thanks @maximslo! - Fixes theexperimental.loggerdestination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, andadapterLoggerre-creates itself when the underlying logger changes so the startup message uses the correct destination.#16947
e0703a6Thanks @ematipico! - FixesAstro.request.urlnot reflecting validatedX-Forwarded-Proto/X-Forwarded-Hostheaders whensecurity.allowedDomainsis configured. Previously, onlyAstro.urlwas updated with the forwarded origin whileAstro.request.urlretained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.#16997
dc45246Thanks @matthewp! - Reverts a change toisNoderuntime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sitesv6.4.4Compare Source
Patch Changes
#16926
1b39ae8Thanks @narendraio! - PreventsApp.match()from throwing on request paths that contain an invalid percent-sequence.#16924
2c0bc94Thanks @astrobot-houston! - Fixes an issue where editing a client-side component (e.g. withclient:idle,client:load, etc.) caused an unnecessary full program reload of the backend during development.#16958
2c1d50fThanks @fkatsuhiro! - Fixes a bug where static file endpoints usinggetStaticPathswith.htmlin dynamic param values (e.g.{ path: 'file.html' }) would fail with aNoMatchingStaticPathFounderror during build. The.htmlsuffix is no longer incorrectly stripped from endpoint route pathnames.#16855
c610cdaThanks @astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.#16946
606c37bThanks @ematipico! - FixesAstro.routePatternto preserve original casing of dynamic parameter names from filenames. Previously, a file atsrc/pages/blog/[postId].astrowould return/blog/[postid]forAstro.routePatterndue to an internal.toLowerCase()call. It now correctly returns/blog/[postId].#16720
16d49b6Thanks @thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string[object Object]instead of the expected content, in certain runtimes.#16703
17390a6Thanks @henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. runningastro devfromd:\dev\appwhile the folder on disk isD:\dev\app).#16855
c610cdaThanks @astrobot-houston! - FixesAstro.currentLocalereturning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.v6.4.3Compare Source
Patch Changes
#16900
17a0fbdThanks @ocavue! - Bumpsdevaluedependency to v5.8.1#16016
0d85e1bThanks @felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed<details>elements.#16911
79c6c46Thanks @astrobot-houston! - Fixes a bug whereexperimental.advancedRoutingwithastro/honohandlers threwTypeError: Cannot read properties of undefined (reading 'route')for unmatched routes instead of rendering the custom 404 page.#16899
239c469Thanks @matthewp! - Fixes a false "does not call the middleware() handler" warning when usingastro()in a customsrc/app.tsand the first request is a redirect route.#16887
493acdbThanks @astrobot-houston! - FixesredirectToDefaultLocalenot working after the Advanced Routing refactoring.#16908
ef53ab9Thanks @florian-lefebvre! - Improves optimized fallbacks generation when using the Fonts API by using better metrics for bold variantsv6.4.2Patch Changes
#16889
b94bcfdThanks @Princesseuh! - Fixes aplugins is not iterablecrash when using a pre-6.0@astrojs/mdxalongside integrations (e.g. Starlight) that setmarkdown.remarkPlugins,markdown.rehypePlugins, ormarkdown.remarkRehype.#16878
b9f6bb9Thanks @fkatsuhiro! - Fixes an issue where on-demand (SSR) dynamic routes would return 404 when a prerendered dynamic route with the same URL pattern was sorted first alphabetically. In production builds with@astrojs/nodeadapter, if[a_prebuild].astro(prerender=true) came before[b_ssr].astroalphabetically, requests to URLs not in the prerendered route's static paths would 404 instead of falling through to the SSR route. The fix adds fallthrough logic so that when a prerendered dynamic route matches but can't serve the request, Astro tries subsequent matching routes.v6.4.1Patch Changes
eeb064cThanks @Princesseuh! - Restores theastro/jsx/rehype.jsentry point so that older versions of@astrojs/mdxcontinue to work when used with Astro 6.x. This entry point will be removed in Astro 7.0.v6.4.0Compare Source
Minor Changes
#16468
4cff3a1Thanks @matthewp! - Adds a newpreserveBuildServerDiradapter featureAdapters can now set
preserveBuildServerDir: truein their adapter features to keep thedist/server/directory structure for static builds, mirroring the existingpreserveBuildClientDiroption. This is useful for adapters that require a consistentdist/client/anddist/server/layout regardless of build output type.#16848
f732f3cThanks @Princesseuh! - Adds a newmarkdown.processorconfiguration option, allowing you to choose an alternative Markdown processor.Websites with many Markdown/MDX files tend to be slow to build because the unified ecosystem (e.g., remark, rehype) is slow to process. This feature introduces the ability to replace this part of the build pipeline with another processor.
The default processor is
unified(). This means that existing configurations remain unchanged and your remark/rehype plugins continue to work.In addition to this new configuration option, Astro provides a new alternative processor based on Rust: Sätteri. You can choose to use it now by installing
@astrojs/markdown-satteri, importing thesatteri()processor, and adapting your existing configuration:This processor does not support the remark and rehype plugins. This means you may need to convert them to MDAST or HAST plugins to retain your current functionality.
The existing top-level
markdown.remarkPlugins,markdown.rehypePlugins,markdown.remarkRehype,markdown.gfm, andmarkdown.smartypantsoptions still work, but are now deprecated and will be removed in a future major update. The matchingremarkPlugins,rehypePlugins, andremarkRehypeoptions on the MDX integration are also deprecated for the same reason. To anticipate their removal, move them ontounified({...})(or your preferred plugin processor) :// astro.config.mjs import { defineConfig } from 'astro/config'; import remarkToc from 'remark-toc'; import rehypeSlug from 'rehype-slug'; + import { unified } from '@​astrojs/markdown-remark'; export default defineConfig({ markdown: { + processor: unified({ + remarkPlugins: [remarkToc], + rehypePlugins: [rehypeSlug], + remarkRehype: true, + gfm: true, + smartypants: true, + }), - remarkPlugins: [remarkToc], - rehypePlugins: [rehypeSlug], - remarkRehype: true, - gfm: true, - smartypants: true, }, });For more information on enabling and using this feature in your project, see our Markdown guide. To give feedback on this new Rust processor, see the Native Markdown / MDX parsing and processing RFC.
Patch Changes
#16468
4cff3a1Thanks @matthewp! - Skips the static preview server when an adapter provides its ownpreviewEntrypoint, allowing the adapter to handle both static and dynamic routes#16811
e0e26dbThanks @matthewp! - FixesX-Forwarded-HostandX-Forwarded-Protoheaders being ignored when set in a customsrc/app.tsfetch handler before creatingFetchState#16468
4cff3a1Thanks @matthewp! - Fixes the static preview server to respectpreserveBuildClientDir, serving files frombuild.clientinstead ofoutDirwhen the adapter requires it#16770
1e2aa11Thanks @matthewp! - Fixes a race condition where the Vite dep optimizer could lose React dependencies in dev mode when using Astro Actions#16468
4cff3a1Thanks @matthewp! - Exempts internal routes (e.g. server islands) fromgetStaticPaths()validation, fixing server island rendering on static sites#16468
4cff3a1Thanks @matthewp! - Fixes preview for static sites that contain non-prerendered routes. Previously, the preview command ignored SSR routes discovered during route scanning and always used the static preview server.Updated dependencies [
f732f3c,f732f3c]:v6.3.8Compare Source
Patch Changes
#16830
f2bf3cbThanks @matthewp! - Fixes 404s for dynamically imported JS chunks when using an adapter withassetQueryParams(e.g. Vercel skew protection)#16831
ace96baThanks @astrobot-houston! - Fixes a misleadingGetStaticPathsRequirederror when a redirect is configured from a dynamic route to a static (or less-dynamic) destination. For example,'/project/[slug]': '/'previously produced a confusing error pointing atindex.astro. Astro now detects the parameter mismatch at config validation time and throws a clearInvalidRedirectDestinationerror naming the missing parameters.#16702
b7d1758Thanks @matthewp! - Fixes scoped styles from.astrocomponents being dropped when rendered inside MDX content (<Content />fromrender(entry)) passed through a named slot using<Fragment slot="X">. The Fragment component now eagerly evaluates its slot contents to ensure propagating components register their styles before head content is flushed.#16823
3df6a45Thanks @astrobot-houston! - Fixes missing CSS for conditionally rendered Svelte components in production builds#16836
3d7adfaThanks @LongYC! - Document compressHTML: "jsx" config is only available since Astro v6.2.0#16864
334ce13Thanks @cheets! - Fixes a false-positiveInternal Warning: route cache overwrittenlogged on every SSR request for dynamic routesv6.3.7Compare Source
Patch Changes
#16821
9c76b12Thanks @astrobot-houston! - Fixes request body handling in the Node adapter whenreq.bodyis aBuffer,Uint8Array, orArrayBuffer. Previously, binary body data was incorrectly JSON-stringified (producing{"type":"Buffer","data":[...]}) instead of being passed through directly. This affected libraries likeserverless-httpthat setreq.bodyto aBuffer.#16785
de96360Thanks @astrobot-houston! - Fixesvite.build.minify,vite.build.sourcemap, andvite.build.rollupOptions.output(e.g.compact) being ignored for client-side builds. These top-level Vite build options are now properly forwarded to the client environment, with environment-specific overrides (vite.environments.client.build.*) taking priority when set.#16819
b5dd8f1Thanks @astrobot-houston! - Fixes custom elements in MDX files bypassing the renderer pipeline. Custom elements (tags containing hyphens like<my-element>) in.mdxfiles are now routed through registered renderers for SSR, matching the behavior of.astrofiles. If no renderer claims the element, it falls back to rendering as raw HTML.#16808
765896cThanks @ematipico! - Fixes dynamic routes returning 400 Bad Request when the URL contains a literal%character, such as paths built withencodeURIComponent('%?.pdf')#16804
90d2acaThanks @jp-knj! - Fixes a v6 regression whereastro:i18ncould not be imported from client<script>blocks.v6.3.6Compare Source
Patch Changes
#16774
8f77583Thanks @astrobot-houston! - Fixes markdown images with empty alt text () in content collections dropping thealtattribute entirely. Thealt=""attribute is now correctly preserved in the rendered HTML output, which is important for accessibility (indicating decorative images).#16776
3d10b5eThanks @matthewp! - Fixes HMR serving stale content when components are passed as props viagetStaticPaths()#16784
7453860Thanks @ematipico! - Improved the printing of the build time if it goes over the 60 seconds.#16665
3dbbceeThanks @Princesseuh! - Fixes remote SVG sources erroring withdangerouslyProcessSVGafter the v6.3 SVG-processing gate. The default Sharp service now resolves the output format from the source up-front when it can (URL extension,data:MIME, ESM metadata), and from the actual buffer at request time when it can't, so SVG sources pass through untouched without needing to setimage.dangerouslyProcessSVG: trueor an explicitformat="svg".The error message has also been updated to point at
format="svg"as the simpler workaround when an SVG source is encountered withoutdangerouslyProcessSVGenabled.#16777
1754b91Thanks @matthewp! - Fixes HMR serving stale content for dynamically imported components through barrel files#16730
068d924Thanks @harshagarwalnyu! - Fixes an issue where thefile()content loader did not generate a valid JSON Schema for collections whose JSON or YAML data is a top-level array instead of an object.v6.3.5Compare Source
Patch Changes
#16771
07c8805Thanks @ematipico! - Fixespositionprop on<Image>and<Picture>components breaking Content Security Policy (CSP).#16593
50924ceThanks @yanthomasdev! - Improves error messages with more consistent and correct writing.#16757
5d661cdThanks @astrobot-houston! - Fixes dev server serving stale content when SSR-only modules change (e.g..astrofiles outside the project root in a monorepo, or dynamically imported components).Previously, the
astro:hmr-reloadplugin returned an empty array after detecting SSR-only module changes, which prevented Vite'supdateModulesfrom propagating the invalidation to the SSR module runner. The runner's evaluated module cache stayed stale, so subsequent requests continued returning old content.Now the plugin returns the SSR-only modules so Vite can process them through
updateModules, which properly invalidates the module runner's cache and ensures fresh content on the next request.v6.3.4Compare Source
Patch Changes
0f10bfeThanks @matthewp!Configuration
📅 Schedule: (in timezone Europe/Copenhagen)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.