Description
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Affected products
- withastro / astro>= 2.16.0, < 5.15.5 – >= 2.16.0, < 5.15.5
Exploits & PoCs
- nucleiAstro - Broken Access Controlby zhero___,DhiyaneshDK
References
- VENDOR_ADVISORYhttps://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767
- PATCHhttps://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4
- MISChttps://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121
- MISChttps://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97