Astro - Information Disclosure

Astro versions v5.0.3 through v5.0.7 and Astro v4.16.17 or older with sourcemaps enabled contain a source code disclosure caused by sourcemap files being publicly accessible in the build output folder, letting unauthenticated users read server source code, exploit requires sourcemaps to be enable...

PT-2026-43307

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use...

EUVD-2024-3552

Malicious code in bioql PyPI...

CVE-2024-56159 Server source code is exposed to the public if sourcemaps are enabled

Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible...

CVE-2024-56159

Astro CVE-2024-56159 describes an information-disclosure vulnerability where sourcemap files for server code are published publicly during build, enabling unauthenticated access to server source. Affected: server-output (SSR) projects on Astro 5.x from 5.0.3–5.0.7 with sourcemaps enabled; fix rel...

CVE-2024-56159 Server source code is exposed to the public if sourcemaps are enabled

Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible...

CVE-2024-56159 Server source code is exposed to the public if sourcemaps are enabled

Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible...

GHSA-49W6-73CW-CHJR Astro's server source code is exposed to the public if sourcemaps are enabled

Summary A bug in the build process allows any unauthenticated user to read parts of the server source code. Details During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder...

Astro's server source code is exposed to the public if sourcemaps are enabled

Summary A bug in the build process allows any unauthenticated user to read parts of the server source code. Details During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder...

PT-2024-36726

Name of the Vulnerable Software and Affected Versions Astro versions 4.16.17 and earlier Astro versions 5.0.3 through 5.0.7 Astro versions 5.0.8 and earlier for static-output projects Description A bug in the build process of Astro allows any unauthenticated user to read parts of the server sourc...

@cameronhunter/jest-json-schema (=2.1.0), @limedocs/core (>=1.0.0-beta.1 <=1.0.0-beta.13) +3 more potentially affected by unknown CVE via url-relative (=1.0.0)

url-relative NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on url-relative and may be impacted: - @cameronhunter/jest-json-schema =2.1.0 - @limedocs/core =1.0.0-beta.1, =0.9.0, =0.16.16 Source cves: unknown CVE Source advisory:...

GHSA-2XV3-H762-CCXV Out-of-bounds Read in concat-with-sourcemaps

Versions of concat-with-sourcemaps before 1.0.6 allocates uninitialized Buffers when a number is passed as a separator. Recommendation Update to version 1.0.6 or later...

Out-of-bounds Read in concat-with-sourcemaps

Versions of concat-with-sourcemaps before 1.0.6 allocates uninitialized Buffers when a number is passed as a separator. Recommendation Update to version 1.0.6 or later...

athena-beta (>=1.0.0 <=2.0.4), athena-html (>=1.2.10 <=2.0.0-alpha.8) +8 more potentially affected by unknown CVE via concat-with-sourcemaps (>=1.0.0 <=1.0.4)

concat-with-sourcemaps NPM version =1.0.0, =1.0.0, =1.2.10, =1.0.0, =1.0.1, =0.0.2, =0.3.0, =1.0.0, =1.0.8 - peachhtmlproduction =1.0.0 Source cves: unknown CVE Source advisory: OSV:GHSA-2XV3-H762-CCXV...

Out-of-bounds Read

Overview Versions of concat-with-sourcemaps before 1.0.6 allocates uninitialized Buffers when a number is passed as a separator. Recommendation Update to version 1.0.6 or later. References - HackerOne Report - Source Reference - GitHub Advisory...

Node.js third-party modules: `concat-with-sourcemaps` allocates uninitialized Buffers when number is passed as a separator

I would like to report an uninitialized Buffer allocation issue in concat-with-sourcemaps. It allows to extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in unlikely setups where separator is attacker-controlled. Module module name:...