Jp-Soba

**Name of the Vulnerable Software and Affected Versions** Astro versions prior to 10.0.2 **Description** Astro, a web framework, contains a flaw in the @astrojs/vercel serverless entrypoint. Versions prior to 10.0.2 do not authenticate requests using the `x-astro-path` header or `x astro path` query parameter, allowing attackers to bypass Vercel's path restrictions. This bypass affects all HTTP methods, including POST, PUT, and DELETE, as the original method and body are preserved. An example of exploitation involves bypassing firewall rules by sending a request to `/api/health` with the `x astro path` parameter set to a restricted path, such as `/admin/delete-user`. **Recommendations** Update to Astro version 10.0.2 or later.