CVE-2026-45028— Astro: Server island encrypted parameters vulnerable to cross-component replay
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1068 · Exploitation for Privilege Escalation T1189 · Drive-by CompromiseGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45028
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Astro: Server island encrypted parameters vulnerable to cross-component replay
Source: NVD (National Vulnerability Database)
Vulnerability Description
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在加密中重用Nonce与密钥对
Source: NVD (National Vulnerability Database)
Vulnerability Title
Astro 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Astro是Astro开源的一个内容驱动网站的 web 框架。 Astro 6.1.10之前版本存在安全漏洞,该漏洞源于使用AES-GCM加密保护服务器岛属性和插槽参数时未将密文绑定到预期组件或参数类型,可能导致跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45028
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45028
请登录查看更多情报信息。
- https://github.com/withastro/astro/pull/16457x_refsource_MISC
- https://github.com/withastro/astro/security/advisories/GHSA-xr5h-phrj-8vxvx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-45028
IV. Related Vulnerabilities
Same product: astro
- CVE-2026-41248
Official Clerk JavaScript SDKs: Middleware-based route prot - CVE-2026-41322
@astrojs/node: Cache Poisoning due to incorrect error handli - CVE-2026-41067
Astro: XSS via incomplete `</script>` sanitization in `defin - CVE-2026-33769
Astro: Remote allowlist bypass via unanchored matchPathname - CVE-2026-33768
Astro: Unauthenticated Path Override via `x-astro-path` / `x
Same vendor: withastro
- CVE-2026-41322
@astrojs/node: Cache Poisoning due to incorrect error handli - CVE-2026-41321
@astrojs/cloudflare: SSRF via redirect following in Cloudfla - CVE-2026-41067
Astro: XSS via incomplete `</script>` sanitization in `defin - CVE-2026-33769
Astro: Remote allowlist bypass via unanchored matchPathname - CVE-2026-33768
Astro: Unauthenticated Path Override via `x-astro-path` / `x
Same weakness: CWE-323
- CVE-2026-5446
wolfSSL ARIA-GCM TLS 1.2/DTLS 1.2 GCM nonce reuse - CVE-2026-3559
Philips Hue Bridge HomeKit Accessory Protocol Static Nonce A - CVE-2026-3099
Libsoup: libsoup: authentication bypass via digest authentic - CVE-2026-25998
strongMan vulnerable to private credential recovery due to k - CVE-2025-47345
Reusing a Nonce, Key Pair in Encryption in Automotive Platfo
V. Comments for CVE-2026-45028
No comments yet