Content-Security-Policy header generation in middleware could be compromised by malicious injections

Impact When the following conditions are met: - Automated CSP headers generation for SSR content is enabled - The web application serves content that can be partially controlled by external users Then it is possible that the CSP headers generation feature might be "allow-listing" malicious inject...

CVE-2024-29896 Astro-Shield's Content-Security-Policy header generation in middleware could be compromised by malicious injections

Astro-Shield is a library to compute the subresource integrity hashes for your JS scripts and CSS stylesheets. When automated CSP headers generation for SSR content is enabled and the web application serves content that can be partially controlled by external users, then it is possible that the C...

CVE-2024-29896

CVE-2024-29896 affects the Astro-Shield library. The vulnerability stems from automated CSP header generation for SSR content, where the CSP header may inadvertently allowlisting malicious injected resources (e.g., inlined or external scripts) when content can be partially controlled by external ...