79 行
4.7 KiB
JSON
79 行
4.7 KiB
JSON
{
|
|
"canonical_id": "astro--CVE-2024-56140",
|
|
"system_id": "astro",
|
|
"display_name": "Astro",
|
|
"category": "frameworks",
|
|
"advisory_mode": "core",
|
|
"title": "Atro CSRF Middleware Bypass (security.checkOrigin)",
|
|
"summary": "### Summary\n\nA bug in Astro\u2019s CSRF-protection middleware allows requests to bypass CSRF checks.\n\n### Details\n\nWhen the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)\n\nFor example, with the following Astro configuration:\n\n```js\n// astro.config.mjs\nimport { defineConfig } from 'astro/config';\nimport node from '@astrojs/node';\n\nexport default defineConfig({\n\toutput: 'server',\n\tsecurity: { checkOrigin: true },\n\tadapter: node({ mode: 'standalone' }),\n});\n```\n\nA request like the following would be blocked if made from a different origin:\n\n```js\n// fetch API or <form action=\"https://test.example.com/\" method=\"POST\">\nfetch('https://test.example.com/', {\n\tmethod: 'POST',\n\tcredentials: 'include',\n\tbody: 'a=b',\n\theaders: { 'Content-Type': 'application/x-www-form-urlencoded' },\n});\n// => Cross-site POST form submissions are forbidden\n```\n\nHowever, a vulnerability exists that can bypass this security.\n\n#### Pattern 1: Requests with a semicolon after the `Content-Type`\n\nA semicolon-delimited parameter is allowed after the type in `Content-Type`.\n\nWeb browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a [simple request](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) and will not perform preflight validation. In this case, CSRF is not blocked as expected.\n\n```js\nfetch('https://test.example.com', {\n\tmethod: 'POST',\n\tcredentials: 'include',\n\tbody: 'test',\n\theaders: { 'Content-Type': 'application/x-www-form-urlencoded; abc' },\n});\n// => Server-side functions are executed (Response Code 200).\n```\n\n#### Pattern 2: Request without `Content-Type` header\n\nThe `Content-Type` header is not required for a request. The following examples are sent without a `Content-Type` header, resulting in CSRF.\n\n```js\n// Pattern 2.1 Request without body\nfetch('http://test.example.com', { method: 'POST', credentials: 'include' });\n\n// Pattern 2.2 Blob object without type\nfetch('https://test.example.com', {\n\tmethod: 'POST',\n\tcredentials: 'include',\n\tbody: new Blob(['a=b'], {}),\n});\n```\n\n### Impact\n\nBypass CSRF protection implemented with CSRF middleware.\n\n> [!Note]\n> Even with `credentials: 'include'`, browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.",
|
|
"published_at": "2024-12-18T15:02:37Z",
|
|
"updated_at": "2025-11-27T08:18:05.038082Z",
|
|
"severity": "low",
|
|
"cvss_score": 3.1,
|
|
"exploit_status": "unknown",
|
|
"source_confidence": "official",
|
|
"official_source_url": "https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-56140",
|
|
"https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de",
|
|
"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests",
|
|
"https://github.com/withastro/astro",
|
|
"https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-56140",
|
|
"GHSA-c4pw-33h3-35xw"
|
|
],
|
|
"cve_ids": [
|
|
"CVE-2024-56140"
|
|
],
|
|
"ghsa_ids": [
|
|
"GHSA-c4pw-33h3-35xw"
|
|
],
|
|
"osv_ids": [
|
|
"GHSA-c4pw-33h3-35xw"
|
|
],
|
|
"affected_versions": [
|
|
"introduced=0, fixed<4.16.17"
|
|
],
|
|
"fixed_versions": [
|
|
"4.16.17"
|
|
],
|
|
"package_name": "astro",
|
|
"render_markdown": true,
|
|
"case_path": "07-framework-security/frameworks/astro/cases/astro-cve-2024-56140.md",
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"csp-trusted-types",
|
|
"token-cookie-storage",
|
|
"dependency-upgrade-policy",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"status": "generated",
|
|
"triage_reasons": [],
|
|
"verification_status": "triage-manual",
|
|
"verification_mode": "synthetic",
|
|
"last_verified_at": null,
|
|
"last_run_id": null,
|
|
"evidence_bundle": null,
|
|
"historical_status": null,
|
|
"latest_status": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
},
|
|
"repro_profile_id": "proxy-boundary-generic",
|
|
"artifact_mode": "synthetic",
|
|
"blocked_reason": null,
|
|
"metadata": {
|
|
"source_names": [
|
|
"OSV Astro"
|
|
],
|
|
"source_kinds": [
|
|
"osv-batch"
|
|
],
|
|
"candidate_count": 1
|
|
}
|
|
}
|