660 matches found
CVE-2026-33769
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...
CVE-2026-29772
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...
CVE-2026-33768
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...
@stnd/build (=0.18.70), stnd (=0.18.70) potentially affected by CVE-2026-29772 via astro (=6.0.0-beta.1)
astro NPM version =6.0.0-beta.1 is affected by a known vulnerability. The following packages have a transitive dependency on astro and may be impacted: - @stnd/build =0.18.70 - stnd =0.18.70 Source cves: CVE-2026-29772 Source advisory: SNYK:JS-ASTRO-15763371...
Allocation of Resources Without Limits or Throttling
Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /server-islands/name route handler, which buffers and parses the entire...
@1771technologies/lytenyte-doc (=1.0.13), @1771technologies/oneplay (>=0.0.1 <=0.0.6) +577 more potentially affected by CVE-2026-33769 via @astrojs/internal-helpers (>=0.0.0-markdoc-config-changes-20230626153541 <=0.7.5)
@astrojs/internal-helpers NPM version =0.0.0-markdoc-config-changes-20230626153541, =0.0.1, =0.0.3, =0.2.0, =1.1.0, =1.0.0, =1.3.0, =0.9.0, =0.5.2, =1.0.0, =0.5.0, =1.0.0, =1.0.0, =1.0.7 - @arya-technologies/astro-template =0.0.1 and more Source cves: CVE-2026-33769 Source advisory:...
@astrojs/cloudflare (>=13.0.0-beta.4 <=13.0.0-beta.14), @astrojs/markdoc (>=1.0.0-beta.7 <=1.0.0-beta.15) +8 more potentially affected by CVE-2026-33769 via @astrojs/internal-helpers (>=0.8.0-beta.0 <=0.8.0-beta.3)
@astrojs/internal-helpers NPM version =0.8.0-beta.0, =13.0.0-beta.4, =1.0.0-beta.7, =7.0.0-beta.4, =5.0.0-beta.4, =7.0.0-beta.6, =10.0.0-beta.1, =10.0.0-beta.1, =6.0.0-beta.7, =6.0.0-beta.20 Source cves: CVE-2026-33769 Source advisory: SNYK:JS-ASTROJSINTERNALHELPERS-15763364...
Unintended Proxy or Intermediary ('Confused Deputy')
Overview @astrojs/vercel is a Deploy your site to Vercel Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the x-astro-path header or xastropath query parameter, which allows overriding internal request paths without authentication. An...
EUVD-2026-14962
Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands...
astro-service-worker (=0.0.1) potentially affected by CVE-2026-29772 via @astrojs/node (=0.1.6)
@astrojs/node NPM version =0.1.6 is affected by a known vulnerability. The following packages have a transitive dependency on @astrojs/node and may be impacted: - astro-service-worker =0.0.1 Source cves: CVE-2026-29772 Source advisory: OSV:GHSA-3RMJ-9M5H-8FPV...
CVE-2026-33768
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...
CVE-2026-33769
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...
CVE-2026-29772
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...
CVE-2026-33769 Astro: Remote allowlist bypass via unanchored matchPathname wildcard
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...
CVE-2026-33769 Astro: Remote allowlist bypass via unanchored matchPathname wildcard
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...
CVE-2026-33769
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...
CVE-2026-33769 Astro: Remote allowlist bypass via unanchored matchPathname wildcard
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...
CVE-2026-33769
CVE-2026-33769 affects the Astro web framework. From version 2.10.10 up to before 5.18.1, the remotePatterns path enforcement for remote URLs used by server-side fetchers (e.g., image optimization) uses an unanchored match for /* wildcards, allowing a pathname containing the allowed prefix later ...
CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...
CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...