EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Astro web framework (npm package astro) affecting versions prior to 6.4.6 and prior to 6.3.3. The issues include a server‑side request forgery (SSRF) vulnerability triggered by unvalidated Host headers and a reflected cross‑site scripting (XSS) flaw caused by unescaped slot names in client directives. Both weaknesses can be exploited remotely without authentication, potentially allowing attackers to retrieve internal resources, pivot within the network, or execute malicious scripts in users’ browsers. The business risk encompasses data leakage, unauthorized access to internal services, credential theft, brand damage, and regulatory compliance violations.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Astro web framework (npm package astro) affecting versions prior to 6.4.6 and prior to 6.3.3. The issues include a server‑side request forgery (SSRF) vulnerability triggered by unvalidated Host headers and a reflected cross‑site scripting (XSS) flaw caused by unescaped slot names in client directives. Both weaknesses can be exploited remotely without authentication, potentially allowing attackers to retrieve internal resources, pivot within the network, or execute malicious scripts in users’ browsers. The business risk encompasses data leakage, unauthorized access to internal services, credential theft, brand damage, and regulatory compliance violations.[emaillocker id="1283"]
• CVE-2026-54299 with a CVSS score of 7.5 – This SSRF flaw allows an attacker to supply a malicious Host header, causing the server to fetch an attacker‑controlled URL when a prerendered error page is rendered, exposing internal services or data. Exploitation requires the ability to trigger a 404/500 response on a vulnerable SSR deployment.
• CVE-2026-50146 with a CVSS score of 7.1 – A reflected XSS issue arises from an unescaped slot name in client directives; an attacker can craft a URL parameter that injects arbitrary HTML/JavaScript into the rendered page, executing in the context of visitors. Exploitation only requires a victim to visit a maliciously crafted link.
Both vulnerabilities present high‑severity threats that can be exploited remotely without authentication, demanding immediate attention from stakeholders. If leveraged, the SSRF can be used to pivot within internal networks or exfiltrate data, while the XSS can lead to session hijacking and brand reputation damage. Organizations running Astro SSR applications should consider the potential operational and legal impacts.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-2pvr-wf23-7pc7
https://github.com/advisories/GHSA-8hv8-536x-4wqp