CVE-2024-30250

Name of the Vulnerable Software and Affected Versions Astro-Shield versions 1.2.0 through 1.3.1

Description Astro-Shield is an integration to enhance website security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques. The issue allows bypass to the allow-lists for cross-origin resources by introducing valid integrity attributes to the injected code, which would lead the browser to believe that the injected resource is legit. To exploit this, an attacker needs to first inject code into the rendered pages by exploiting other potential vulnerabilities.

Recommendations For Astro-Shield versions 1.2.0 through 1.3.1, update to version 1.3.2 to patch the vulnerability. As a temporary workaround, consider not using the middleware functionality of Astro-Shield, or use it only for content that cannot be controlled in any way by external users.