Astro SSR - Server-Side Request Forgery

Astro before 5.17.3 and @astrojs/node before 9.5.4 are vulnerable to full-read SSRF due to improper Host header validation in error page rendering, allowing attackers to redirect requests and access internal resources. id: CVE-2026-25545 info: name: Astro SSR - Server-Side Request Forgery author:...

Reusing a Nonce, Key Pair in Encryption

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Reusing a Nonce, Key Pair in Encryption of server island parameters. An attacker can inject malicious HTML or script content into a...

@stnd/build (=0.18.70), saku-doc (>=0.0.1 <=0.0.4) +1 more potentially affected by CVE-2026-45028 via astro (>=6.0.0-beta.1 <=6.0.4)

astro NPM version =6.0.0-beta.1, =0.0.1, =0.0.4 - stnd =0.18.70 Source cves: CVE-2026-45028 Source advisory: SNYK:JS-ASTRO-16643260...

@1771technologies/oneplay (>=0.0.1 <=0.0.6), @akalymon/web (=0.1.0) +599 more potentially affected by CVE-2026-41067 via astro (>=0.20.12 <=6.1.5)

astro NPM version =0.20.12, =0.0.1, =0.1.6, =1.0.0, =0.5.0, =1.0.0, =1.0.0, =0.0.17, =0.0.2, =0.0.1, =0.2.0, =0.3.0 and more Source cves: CVE-2026-41067 Source advisory: OSV:GHSA-J687-52P2-XCFF...

Astro: XSS in define:vars via incomplete </script> tag sanitization

Summary The defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing , allowing ...

@chocolatey-software/astro (>=2.7.0 <=2.8.0), @kyro-cms/admin (=0.1.2) +9 more potentially affected by CVE-2026-41067 via astro (>=6.0.0-beta.1 <=6.1.5)

astro NPM version =6.0.0-beta.1, =2.7.0, =0.19.0, =0.19.0, =1.10.0, =1.0.0, =1.4.2, =0.0.1, =0.0.1, =0.0.7 Source cves: CVE-2026-41067 Source advisory: SNYK:JS-ASTRO-16119128...

GHSA-G735-7G2W-HH3F Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Summary This issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a...

@stnd/build (=0.18.70), stnd (=0.18.70) potentially affected by CVE-2026-29772 via astro (=6.0.0-beta.1)

astro NPM version =6.0.0-beta.1 is affected by a known vulnerability. The following packages have a transitive dependency on astro and may be impacted: - @stnd/build =0.18.70 - stnd =0.18.70 Source cves: CVE-2026-29772 Source advisory: SNYK:JS-ASTRO-15763371...

Allocation of Resources Without Limits or Throttling

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /server-islands/name route handler, which buffers and parses the entire...

@stnd/build (=0.18.70), stnd (=0.18.70) potentially affected by CVE-2026-27729 via astro (=6.0.0-beta.1)

astro NPM version =6.0.0-beta.1 is affected by a known vulnerability. The following packages have a transitive dependency on astro and may be impacted: - @stnd/build =0.18.70 - stnd =0.18.70 Source cves: CVE-2026-27729 Source advisory: SNYK:JS-ASTRO-15338138...

@antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1), @anyauth/design-system (>=0.5.0 <=0.5.1) +21 more potentially affected by CVE-2026-27729 via astro (>=5.10.1 <=5.17.2)

astro NPM version =5.10.1, =1.0.0, =0.5.0, =0.0.1, =0.1.0, =0.0.1, =2.0.0, =2.18.7, =0.1.2-alpha.1, =0.0.28, =0.0.28, =1.5.1, =1.13.2, =0.0.1, =0.0.2 and more Source cves: CVE-2026-27729 Source advisory: SNYK:JS-ASTRO-15338138...

@antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1), @anyauth/design-system (>=0.5.0 <=0.5.1) +23 more potentially affected by CVE-2026-25545 via astro (>=5.0.0-beta.5 <=5.17.2)

astro NPM version =5.0.0-beta.5, =1.0.0, =0.5.0, =0.0.1, =0.1.0, =0.0.1, =2.0.0, =2.18.7, =0.1.2-alpha.1, =0.0.28, =0.0.28, =1.5.1, =1.13.2, =0.0.1, =0.0.2 and more Source cves: CVE-2026-25545 Source advisory: SNYK:JS-ASTRO-15338137...

Use of Non-Canonical URL Paths for Authorization Decisions

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions due to improper URL decoding logic. The pathname validation used for...

@antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1), @anyauth/design-system (>=0.5.0 <=0.5.1) +19 more potentially affected by CVE-2025-64765 +1 more via astro (>=5.0.0-beta.5 <=5.16.2)

astro NPM version =5.0.0-beta.5, =1.0.0, =0.5.0, =0.0.1, =0.1.0, =0.0.1, =2.18.7, =0.1.2-alpha.1, =0.0.28, =0.0.28, =1.5.1, =1.13.2, =0.1.8, =1.0.21, =1.0.22 and more Source cves: CVE-2025-64765, CVE-2025-66202 Source advisory: SNYK:JS-ASTRO-14235580...

@ampt/astro (=0.0.1-beta.1), @antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1) +381 more potentially affected by CVE-2025-64765 +1 more via astro (>=0.20.12 <=5.15.6)

astro NPM version =0.20.12, =1.0.0, =0.5.0, =1.0.0, =0.0.17, =0.0.2, =0.0.1, =0.2.0, =0.0.0-experimental-7c2f356, =0.0.0-experimental-7c2f356, =0.5.1 - @astro-sanctuary/toolbar-drupal =0.1.1 - @astrojs/og =0.0.1 and more Source cves: CVE-2025-64765, CVE-2025-66202 Source advisory:...

@antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1), @anyauth/design-system (>=0.5.0 <=0.5.1) +18 more potentially affected by CVE-2025-64765 via astro (>=5.0.0-beta.5 <=5.15.6)

astro NPM version =5.0.0-beta.5, =1.0.0, =0.5.0, =0.0.1, =0.1.0, =0.0.1, =2.18.7, =0.1.2-alpha.1, =0.0.28, =0.0.28, =1.13.2, =0.1.8, =1.0.21, =1.0.22 and more Source cves: CVE-2025-64765 Source advisory: SNYK:JS-ASTRO-14059661...

Astro vulnerable to reflected XSS via the server islands feature

Summary After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, regardless of what was intended by the component templates. Details Server islands run in their own isolated context outside of the page reques...

@antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1), @awesome-myst/myst-awesome (>=0.0.1 <=0.0.7) +10 more potentially affected by CVE-2025-64757 via astro (>=5.0.0-beta.5 <=5.14.1)

astro NPM version =5.0.0-beta.5, =1.0.0, =0.0.1, =0.0.1, =2.18.7, =0.1.2-alpha.1, =1.13.2, =0.1.8, =1.0.21, =0.0.1, =0.0.1, =1.249.8, =1.271.1 Source cves: CVE-2025-64757 Source advisory: SNYK:JS-ASTRO-14059139...

GHSA-HR2Q-HP5Q-X767 Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass

Summary In impacted versions of Astro using on-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are: - Middleware-based protected route bypass only via...

@antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1), @anyauth/design-system (>=0.5.0 <=0.5.1) +304 more potentially affected by CVE-2025-64525 via astro (>=2.1.2 <=5.15.1)

astro NPM version =2.1.2, =1.0.0, =0.5.0, =1.0.0, =0.0.17, =0.0.2, =0.2.0, =0.0.0-experimental-7c2f356, =0.0.0-experimental-7c2f356, =0.0.1, =0.0.1, =0.1.3, =0.1.4 - @bankai/byte-blocks =0.3.1 and more Source cves: CVE-2025-64525 Source advisory: OSV:GHSA-HR2Q-HP5Q-X767...