Advisories for Npm/Astro package

2024

Astro's server source code is exposed to the public if sourcemaps are enabled

A bug in the build process allows any unauthenticated user to read parts of the server source code.

Atro CSRF Middleware Bypass (security.checkOrigin)

A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.

DOM Clobbering Gadget found in astro's client-side router that leads to XSS

A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., iframe tags with unsanitized name attributes) on the destination pages.

2023

Inefficient Regular Expression Complexity

Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). This vulnerability has been patched in sentry/astro version 7.87.0.