chore(deps): update dependency astro to v6.4.6 [security]#1479
Merged
Conversation
✅ Deploy Preview for nifty-bardeen-5c7e53 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.4.2→6.4.6Astro: Host header SSRF in prerendered error page fetch
CVE-2026-54299 / GHSA-2pvr-wf23-7pc7
More information
Details
Summary
Astro SSR apps with prerendered error pages (
/404or/500usingexport const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived fromrequest.url, which in turn gets its origin from the incomingHostheader. When theHostheader is not validated againstallowedDomains, an attacker can point the fetch at an arbitrary host and read the response.Who is affected
This affects SSR deployments that:
createRequestFromNodeRequestfromastro/app/nodewithapp.render()without overridingprerenderedErrorPageFetch— this includes custom servers built on the public API and third-party adaptersNot affected:
@astrojs/node>= 9.5.4 (reads error pages from disk)@astrojs/cloudflare(uses the ASSETS binding)How it works
createRequestFromNodeRequestbuildsrequest.urlfrom the rawHost/:authorityheader. TheallowedDomainsoption is accepted but only gatesX-Forwarded-For— it does not constrain the URL origin. (The publiccreateRequestdoes fall back tolocalhostfor unvalidated hosts; this internal builder did not.)When
app.render()encounters a 404 or 500 with a prerendered error route,default-handler.tsconstructs the error page URL using the origin fromrequest.urland fetches it viaprerenderedErrorPageFetch, which defaults to globalfetch. The response body is served to the client.An attacker sends a request with
Host: attacker-host:port, triggers an error (e.g., requesting a nonexistent path for a 404), and receives the response from the attacker-controlled host reflected back.Remediation
The error page fetch origin is now validated against
allowedDomainsbefore use. When the host is validated, the original origin is preserved. Otherwise, it falls back tolocalhost. The fetch is also wrapped in a try/catch so that connection failures degrade gracefully to a plain error response.Credit
5ud0 / Tarmo Technologies
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Astro: XSS via Unescaped Attribute Names in Spread Props
CVE-2026-54298 / GHSA-jrpj-wcv7-9fh9
More information
Details
Summary
The
spreadAttributesfunction in Astro's server-side rendering pipeline iterates over object keys and passes them directly toaddAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax{...props}on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers likeonmousemove,onclick, or break out of the attribute context entirely to inject new elements.Details
The vulnerable function is
addAttributeatpackages/astro/src/runtime/server/render/util.ts:81-141:This function is called from
spreadAttributesatpackages/astro/src/runtime/server/index.ts:91-92:The
toAttributeStringfunction escapes the attribute value, but the attribute namekeyis never validated or escaped. An attacker can craft a JSON object with a key containing " characters to break out of the attribute context and inject event handlers.Execution flow: User controlled object keys (from API, CMS, URL params) are spread onto element via
{...props}. The compiler generatesspreadAttributes(props)which iterates withObject.entries()and callsaddAttribute(value, key). The key is interpolated as` ${key}="${escapedValue}"`. A malicious key breaks attribute context, resulting in XSS.POC
Create an SSR Astro page (
src/pages/index.astro):Enable SSR in
astro.config.mjs(for URL based demo):Note: SSR is not required for the vulnerability to exist. In static builds (default), the attack vector is compromised data sources at build time (API, CMS, database). SSR simply makes the PoC easier to demonstrate via URL parameters.
Start the dev server and visit:
URL encoded:
View the HTML source. The output contains:
The key
x" onmousemove="alert(document.cookie)" ybreaks out of the attribute context. Moving the mouse over the div executes the JavaScript.Impact
An attacker can execute arbitrary JavaScript in the context of a victim's browser session on any Astro application that spreads object props from untrusted sources onto HTML elements. This is a common pattern when integrating with external APIs or CMS systems. Exploitation enables session hijacking via cookie theft, credential theft by injecting fake login forms or keyloggers, defacement of the rendered page, and redirection to attacker controlled domains.
The vulnerability affects all Astro versions that support spread syntax on HTML elements and is exploitable in SSR, SSG (if build time data is compromised), and hybrid deployments.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
withastro/astro (astro)
v6.4.6Compare Source
Patch Changes
#16765
b10e86eThanks @fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.#17026
add3df1Thanks @matthewp! - HardensaddAttributeto drop attribute names containing characters that are invalid per the HTML spec (",',>,/,=, whitespace)#17033
ffda27bThanks @matthewp! - Validates the request origin againstallowedDomainsbefore fetching prerendered error pages. WhenallowedDomainsis configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back tolocalhost.v6.4.5Compare Source
Patch Changes
#16985
4ecff32Thanks @maximslo! - Fixes theexperimental.loggerdestination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, andadapterLoggerre-creates itself when the underlying logger changes so the startup message uses the correct destination.#16947
e0703a6Thanks @ematipico! - FixesAstro.request.urlnot reflecting validatedX-Forwarded-Proto/X-Forwarded-Hostheaders whensecurity.allowedDomainsis configured. Previously, onlyAstro.urlwas updated with the forwarded origin whileAstro.request.urlretained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.#16997
dc45246Thanks @matthewp! - Reverts a change toisNoderuntime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sitesv6.4.4Compare Source
Patch Changes
#16926
1b39ae8Thanks @narendraio! - PreventsApp.match()from throwing on request paths that contain an invalid percent-sequence.#16924
2c0bc94Thanks @astrobot-houston! - Fixes an issue where editing a client-side component (e.g. withclient:idle,client:load, etc.) caused an unnecessary full program reload of the backend during development.#16958
2c1d50fThanks @fkatsuhiro! - Fixes a bug where static file endpoints usinggetStaticPathswith.htmlin dynamic param values (e.g.{ path: 'file.html' }) would fail with aNoMatchingStaticPathFounderror during build. The.htmlsuffix is no longer incorrectly stripped from endpoint route pathnames.#16855
c610cdaThanks @astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.#16946
606c37bThanks @ematipico! - FixesAstro.routePatternto preserve original casing of dynamic parameter names from filenames. Previously, a file atsrc/pages/blog/[postId].astrowould return/blog/[postid]forAstro.routePatterndue to an internal.toLowerCase()call. It now correctly returns/blog/[postId].#16720
16d49b6Thanks @thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string[object Object]instead of the expected content, in certain runtimes.#16703
17390a6Thanks @henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. runningastro devfromd:\dev\appwhile the folder on disk isD:\dev\app).#16855
c610cdaThanks @astrobot-houston! - FixesAstro.currentLocalereturning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.v6.4.3Compare Source
Patch Changes
#16900
17a0fbdThanks @ocavue! - Bumpsdevaluedependency to v5.8.1#16016
0d85e1bThanks @felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed<details>elements.#16911
79c6c46Thanks @astrobot-houston! - Fixes a bug whereexperimental.advancedRoutingwithastro/honohandlers threwTypeError: Cannot read properties of undefined (reading 'route')for unmatched routes instead of rendering the custom 404 page.#16899
239c469Thanks @matthewp! - Fixes a false "does not call the middleware() handler" warning when usingastro()in a customsrc/app.tsand the first request is a redirect route.#16887
493acdbThanks @astrobot-houston! - FixesredirectToDefaultLocalenot working after the Advanced Routing refactoring.#16908
ef53ab9Thanks @florian-lefebvre! - Improves optimized fallbacks generation when using the Fonts API by using better metrics for bold variantsConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.