Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

astro — Vulnerabilities & Security Advisories 25

All 25 CVE vulnerabilities found in astro, with AI-generated Chinese analysis, references, and POCs.

Vendor: withastro

CVE IDTitleCVSSSeverityPublished
CVE-2026-41248 Official Clerk JavaScript SDKs: Middleware-based route protection bypass CWE-436 9.1 Critical2026-04-24
CVE-2026-41322 @astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed CWE-525 5.3 Medium2026-04-24
CVE-2026-41067 Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass CWE-79 6.1 Medium2026-04-24
CVE-2026-33769 Astro: Remote allowlist bypass via unanchored matchPathname wildcard CWE-20 9.1 -2026-03-24
CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path` CWE-441 6.5 Medium2026-03-24
CVE-2026-29772 Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands CWE-770 5.9 Medium2026-03-24
CVE-2026-27829 Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize CWE-918 6.5 Medium2026-02-26
CVE-2026-27729 Astro has memory exhaustion DoS due to missing request body size limit in Server Actions CWE-770 5.9 Medium2026-02-24
CVE-2026-25545 Astro has Full-Read SSRF in error rendering via Host: header injection CWE-918 9.1 -2026-02-24
CVE-2025-66202 Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 CWE-647 6.5 Medium2025-12-08
CVE-2025-64765 Astro middleware authentication checks based on url.pathname can be bypassed via url encoded values CWE-22 8.2AIHighAI2025-11-19
CVE-2025-64764 Astro is vulnerable to Reflected XSS via the server islands feature CWE-80 7.1 High2025-11-19
CVE-2025-65019 Astro Cloudflare adapter has a Stored Cross Site Scripting vulnerability in /_image endpoint CWE-79 5.4 Medium2025-11-19
CVE-2025-64757 Astro Development Server is Vulnerable to Arbitrary Local File Read CWE-22 3.5 Low2025-11-19
CVE-2025-64745 Astro development server error page vulnerable to reflected Cross-site Scripting CWE-79 2.7 Low2025-11-13
CVE-2025-64525 Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass CWE-918 6.5 Medium2025-11-13
CVE-2025-59837 astro allows bypass of image proxy domain validation leading to SSRF and potential XSS CWE-918 7.2 High2025-10-28
CVE-2025-61925 Astro's `X-Forwarded-Host` is reflected with no validation CWE-470 6.5 Medium2025-10-10
CVE-2025-58179 Astro Cloudflare adapter is vulnerable to Server-Side Request Forgery via /_image endpoint CWE-918 7.2 High2025-09-04
CVE-2025-55303 Unauthorized third-party images in Astro’s _image endpoint CWE-79 7.2AIHighAI2025-08-19
CVE-2025-55207 @astrojs/node's trailing slash handling causes open redirect issue CWE-601 6.1AIMediumAI2025-08-15
CVE-2025-54793 Astro: Duplicate trailing slash feature can lead to Open Redirects CWE-601 6.1 -2025-08-08
CVE-2024-56159 Server source code is exposed to the public if sourcemaps are enabled CWE-219 7.5 -2024-12-19
CVE-2024-56140 Bypass of CSRF Middleware in Astro CWE-352 5.9 Medium2024-12-18
CVE-2024-47885 astro's client-side router has DOM Clobbering Gadget that leads to XSS CWE-79 5.9 Medium2024-10-14

All 25 known CVE vulnerabilities affecting astro with full Chinese analysis, references, and POCs where available.