CVE-2024-47885: DOM Clobbering Gadget found in astro's client-side router that leads to XSS

October 14, 2024

A DOM Clobbering gadget has been discoverd in Astro’s client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro’s client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., iframe tags with unsanitized name attributes) on the destination pages.

References

github.com/advisories/GHSA-m85w-3h95-hcf9
github.com/withastro/astro
github.com/withastro/astro/commit/a4ffbfaa5cb460c12bd486fd75e36147f51d3e5e
github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9
nvd.nist.gov/vuln/detail/CVE-2024-47885

Detect and mitigate CVE-2024-47885 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →