astro-4.16.10.tgz: 2 vulnerabilities (highest severity is: 5.9) - autoclosed #12
Description
Vulnerable Library - astro-4.16.10.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-4.16.10.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (astro version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-56140 |  Medium |
5.9 | astro-4.16.10.tgz | Direct | astro - 4.16.17 | ✅ |
| CVE-2024-56159 | Medium |
5.3 | astro-4.16.10.tgz | Direct | astro - 4.16.18,5.0.8 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-56140
Vulnerable Library - astro-4.16.10.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-4.16.10.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json
Dependency Hierarchy:
- ❌ astro-4.16.10.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the "security.checkOrigin" configuration option is set to "true", Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in "Content-Type". Web browsers will treat a "Content-Type" such as "application/x-www-form-urlencoded; abc" as a "simple request" and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the "Content-Type" header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-12-18
URL: CVE-2024-56140
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-c4pw-33h3-35xw
Release Date: 2024-12-18
Fix Resolution: astro - 4.16.17
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-56159
Vulnerable Library - astro-4.16.10.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-4.16.10.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json
Dependency Hierarchy:
- ❌ astro-4.16.10.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in "src/pages") are predictably named. For example. the sourcemap file for "src/pages/index.astro" gets named "dist/client/pages/index.astro.mjs.map". This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the "dist/client" (referred to as "config.build.client" in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains ".map" files corresponding to the code that runs on the server. All server-output projects on Astro 5 versions v5.0.3 through v5.0.7, that have sourcemaps enabled, either directly or through an add-on such as "sentry", are affected. The fix for server-output projects was released in astro@5.0.8. Additionally, all static-output projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.8 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in astro@5.0.9, and backported to Astro v4 in astro@4.16.18. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for server-output projects was released in astro@5.0.8, and the fix for static-output projects was released in astro@5.0.9 and backported to Astro v4 in astro@4.16.18. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.
Publish Date: 2024-12-19
URL: CVE-2024-56159
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-49w6-73cw-chjr
Release Date: 2024-12-19
Fix Resolution: astro - 4.16.18,5.0.8
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.