Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

withastro — Vulnerabilities & Security Advisories 25

Browse all 25 CVE security advisories affecting withastro. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Withastro is a static site generator designed to build fast, content-focused websites using modern web standards. Its core architecture relies on a component-based framework that compiles assets into static HTML, CSS, and JavaScript at build time. Security assessments have identified twenty-five Common Vulnerabilities and Exposures (CVEs) associated with the project, primarily stemming from its dependency ecosystem rather than the core engine itself. Historically, these vulnerabilities frequently involve remote code execution, cross-site scripting, and prototype pollution within third-party libraries used during the build process. While the static output reduces runtime attack surfaces, the build-time environment remains a critical vector for compromise. Notable incidents highlight risks related to insecure default configurations and insufficient input validation in plugin architectures. Developers must rigorously audit dependencies to mitigate these historically common vulnerability classes and ensure the integrity of the generated static assets.

Top products by withastro: astro @astrojs/cloudflare
CVE IDTitleCVSSSeverityPublished
CVE-2026-41322 @astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed — astroCWE-525 5.3 Medium2026-04-24
CVE-2026-41321 @astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint — @astrojs/cloudflareCWE-918 2.2 Low2026-04-24
CVE-2026-41067 Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass — astroCWE-79 6.1 Medium2026-04-24
CVE-2026-33769 Astro: Remote allowlist bypass via unanchored matchPathname wildcard — astroCWE-20 9.1 -2026-03-24
CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path` — astroCWE-441 6.5 Medium2026-03-24
CVE-2026-29772 Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands — astroCWE-770 5.9 Medium2026-03-24
CVE-2026-27829 Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize — astroCWE-918 6.5 Medium2026-02-26
CVE-2026-27729 Astro has memory exhaustion DoS due to missing request body size limit in Server Actions — astroCWE-770 5.9 Medium2026-02-24
CVE-2026-25545 Astro has Full-Read SSRF in error rendering via Host: header injection — astroCWE-918 9.1 -2026-02-24
CVE-2025-66202 Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 — astroCWE-647 6.5 Medium2025-12-08
CVE-2025-64765 Astro middleware authentication checks based on url.pathname can be bypassed via url encoded values — astroCWE-22 8.2AIHighAI2025-11-19
CVE-2025-64764 Astro is vulnerable to Reflected XSS via the server islands feature — astroCWE-80 7.1 High2025-11-19
CVE-2025-65019 Astro Cloudflare adapter has a Stored Cross Site Scripting vulnerability in /_image endpoint — astroCWE-79 5.4 Medium2025-11-19
CVE-2025-64757 Astro Development Server is Vulnerable to Arbitrary Local File Read — astroCWE-22 3.5 Low2025-11-19
CVE-2025-64745 Astro development server error page vulnerable to reflected Cross-site Scripting — astroCWE-79 2.7 Low2025-11-13
CVE-2025-64525 Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass — astroCWE-918 6.5 Medium2025-11-13
CVE-2025-59837 astro allows bypass of image proxy domain validation leading to SSRF and potential XSS — astroCWE-918 7.2 High2025-10-28
CVE-2025-61925 Astro's `X-Forwarded-Host` is reflected with no validation — astroCWE-470 6.5 Medium2025-10-10
CVE-2025-58179 Astro Cloudflare adapter is vulnerable to Server-Side Request Forgery via /_image endpoint — astroCWE-918 7.2 High2025-09-04
CVE-2025-55303 Unauthorized third-party images in Astro’s _image endpoint — astroCWE-79 7.2AIHighAI2025-08-19
CVE-2025-55207 @astrojs/node's trailing slash handling causes open redirect issue — astroCWE-601 6.1AIMediumAI2025-08-15
CVE-2025-54793 Astro: Duplicate trailing slash feature can lead to Open Redirects — astroCWE-601 6.1 -2025-08-08
CVE-2024-56159 Server source code is exposed to the public if sourcemaps are enabled — astroCWE-219 7.5 -2024-12-19
CVE-2024-56140 Bypass of CSRF Middleware in Astro — astroCWE-352 5.9 Medium2024-12-18
CVE-2024-47885 astro's client-side router has DOM Clobbering Gadget that leads to XSS — astroCWE-79 5.9 Medium2024-10-14

This page lists every published CVE security advisory associated with withastro. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.