Skip to content

Content-Security-Policy header generation in middleware could be compromised by malicious injections

High severity GitHub Reviewed Published Mar 27, 2024 in kindspells/astro-shield • Updated Mar 29, 2024

Package

npm @kindspells/astro-shield (npm)

Affected versions

= 1.2.0

Patched versions

1.3.0

Description

Impact

When the following conditions are met:

  • Automated CSP headers generation for SSR content is enabled
  • The web application serves content that can be partially controlled by external users

Then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts.

Patches

Available in version 1.3.0 .

Workarounds

  • Do not enable CSP headers generation.
  • Use it only for dynamically generated content that cannot be controlled by external users in any way.

References

Are there any links users can visit to find out more?

References

@castarco castarco published to kindspells/astro-shield Mar 27, 2024
Published by the National Vulnerability Database Mar 28, 2024
Published to the GitHub Advisory Database Mar 29, 2024
Reviewed Mar 29, 2024
Last updated Mar 29, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Weaknesses

CVE ID

CVE-2024-29896

GHSA ID

GHSA-w387-5qqw-7g8m

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.