Matthewppublished

**Name of the Vulnerable Software and Affected Versions** Astro versions 3.0.0 through 4.16.0 **Description** The Astro web framework has a DOM Clobbering gadget in the client-side router. This issue can lead to cross-site scripting (XSS) in websites that enable Astro's client-side routing and have stored attacker-controlled scriptless HTML elements, such as `iframe` tags with unsanitized `name` attributes, on the destination pages. The vulnerability can result in XSS attacks on websites built with Astro that enable client-side routing with `ViewTransitions` and store user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page. **Recommendations** For Astro versions 3.0.0 through 4.16.0, update to version 4.16.1 or later to resolve the issue. As a temporary workaround, consider disabling the client-side routing feature until a patch is applied. Restrict access to the client-side router module to minimize the risk of exploitation. Avoid using unsanitized `name` attributes in `iframe` tags within the affected API endpoints until the issue is resolved.