OsVault/npm/astro

npm

astro

30 known vulnerabilities · 0 critical · 0 high

CVE-2025-64765

Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values

Published Nov 19, 2025

CVE-2024-56159

Astro's server source code is exposed to the public if sourcemaps are enabled

Published Dec 19, 2024

CVE-2025-64745

Astro development server error page is vulnerable to reflected Cross-site Scripting

Published Nov 13, 2025

CVE-2025-55303

Astro allows unauthorized third-party images in _image endpoint

Published Aug 19, 2025

CVE-2026-33769

Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Published Mar 26, 2026

CVE-2024-56140

Atro CSRF Middleware Bypass (security.checkOrigin)

Published Dec 18, 2024

CVE-2025-54793

Astros's duplicate trailing slash feature leads to an open redirection security issue

Published Aug 7, 2025

CVE-2025-66202

Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765

Published Dec 8, 2025

GHSA-j687-52p2-xcff

Astro: XSS in define:vars via incomplete </script> tag sanitization

Published Apr 21, 2026

CVE-2025-65019

Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint

Published Nov 19, 2025

CVE-2024-47885

DOM Clobbering Gadget found in astro's client-side router that leads to XSS

Published Oct 14, 2024

CVE-2025-64757

Astro Development Server has Arbitrary Local File Read

Published Nov 19, 2025

CVE-2025-64764

Astro vulnerable to reflected XSS via the server islands feature

Published Nov 19, 2025

CVE-2025-61925

Astro's `X-Forwarded-Host` is reflected without validation

Published Oct 10, 2025

CVE-2025-26042

Uptime Kuma's Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Published Mar 31, 2025

CVE-2026-33768

Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Published Mar 26, 2026

CVE-2026-29772

Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

Published Mar 24, 2026

CVE-2025-25285

@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Published Feb 14, 2025

CVE-2025-25288

@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Published Feb 14, 2025

CVE-2025-25289

@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Published Feb 14, 2025

MAL-2025-1505

Malicious code in storyblok-rich-text-astro-renderer-workspace (npm)

Published Feb 20, 2025

CVE-2026-27829

Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize

Published Feb 25, 2026

CVE-2026-25545

Astro has Full-Read SSRF in error rendering via Host: header injection

Published Feb 23, 2026

GHSA-c57f-mm3j-27q9

Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed

Published Apr 23, 2026

CVE-2025-25290

@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Published Feb 14, 2025

CVE-2026-27729

Astro has memory exhaustion DoS due to missing request body size limit in Server Actions

Published Feb 25, 2026

CVE-2026-27904

minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Published Feb 26, 2026

MAL-2023-786

Malicious code in spaceman-an-astronauts-unlikely-journey-to-unlock-the-secrets-of-the-universe-by-mike-massimino-on-a (npm)

Published May 10, 2023

MAL-2025-3756

Malicious code in astro-scripts (npm)

Published May 12, 2025

MAL-2023-8641

Malicious code in astroia (npm)

Published Nov 30, 2023

Check your entire dependency tree at onceRun dependency scan →