EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in npm/astro versions prior to 6.4.6 and 6.3.3. The first issue enables server‑side request forgery (SSRF) by allowing an attacker to craft a malicious Host header that causes the runtime to fetch an arbitrary external resource when a prerendered error page is rendered. The second issue introduces a reflected cross‑site scripting (XSS) flaw where an unescaped slot name in a client directive can break out of an attribute and inject arbitrary HTML. Both vulnerabilities can be triggered remotely and may lead to data leakage, unauthorized internal network access, and compromise of end‑user browsers, posing significant reputational and compliance risk for organizations that rely on Astro for server‑side rendering.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in npm/astro versions prior to 6.4.6 and 6.3.3. The first issue enables server‑side request forgery (SSRF) by allowing an attacker to craft a malicious Host header that causes the runtime to fetch an arbitrary external resource when a prerendered error page is rendered. The second issue introduces a reflected cross‑site scripting (XSS) flaw where an unescaped slot name in a client directive can break out of an attribute and inject arbitrary HTML. Both vulnerabilities can be triggered remotely and may lead to data leakage, unauthorized internal network access, and compromise of end‑user browsers, posing significant reputational and compliance risk for organizations that rely on Astro for server‑side rendering.[emaillocker id="1283"]
• CVE-2026-54299 with a CVSS score of 7.5 – This SSRF flaw arises from an unvalidated Host header used to construct the URL of a prerendered error page; an attacker can send a request with a malicious Host value, trigger a 404 or 500 response, and cause the server to fetch and return data from an arbitrary host. Exploitation requires only the ability to induce an error and control the Host header.
• CVE-2026-50146 with a CVSS score of 7.1 – The reflected XSS issue stems from the slot name being inserted into a data‑astro‑template attribute without HTML escaping; by supplying a crafted slot name via a query parameter, an attacker can break out of the attribute and execute arbitrary JavaScript in the victim’s browser. The attack is possible against any Astro SSR deployment using client directives with unescaped slot names.
These flaws present immediate attack vectors that can be leveraged without authentication, making rapid remediation essential. If exploited, the SSRF vulnerability could expose internal services or leak sensitive data, while the XSS flaw can lead to session hijacking and brand damage through malicious script execution in users’ browsers. Organizations should treat the combined risk as high priority to protect data integrity and maintain customer trust.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-2pvr-wf23-7pc7
https://github.com/advisories/GHSA-8hv8-536x-4wqp