10 matches found
CVE-2026-41322
@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all...
EUVD-2026-25580
@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all...
GHSA-MR6Q-RP88-FX84 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
Summary The @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirel...
Unintended Proxy or Intermediary ('Confused Deputy')
Overview @astrojs/vercel is a Deploy your site to Vercel Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the x-astro-path header or xastropath query parameter, which allows overriding internal request paths without authentication. An...
CVE-2026-33768
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...
CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...
CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...
CVE-2026-33768
Astro: Unauthenticated Path Override via x-astro-path/x_astro_path affects Astro 5.18.1 + @astrojs/vercel 9.0.4 and Astro 6.0.3 + @astrojs/vercel 10.0.0, with patch in 10.0.2. The vulnerable code rewrites the internal request path from a caller-supplied header or query parameter without authentic...
CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...
PT-2026-27487
Name of the Vulnerable Software and Affected Versions Astro versions prior to 10.0.2 Description Astro, a web framework, contains a flaw in the @astrojs/vercel serverless entrypoint. Versions prior to 10.0.2 do not authenticate requests using the x-astro-path header or x astro path query paramete...