CVE-2024-47885

Name of the Vulnerable Software and Affected Versions Astro versions 3.0.0 through 4.16.0

Description The Astro web framework has a DOM Clobbering gadget in the client-side router. This issue can lead to cross-site scripting (XSS) in websites that enable Astro's client-side routing and have stored attacker-controlled scriptless HTML elements, such as iframe tags with unsanitized name attributes, on the destination pages. The vulnerability can result in XSS attacks on websites built with Astro that enable client-side routing with ViewTransitions and store user-inserted scriptless HTML tags without properly sanitizing the name attributes on the page.

Recommendations For Astro versions 3.0.0 through 4.16.0, update to version 4.16.1 or later to resolve the issue. As a temporary workaround, consider disabling the client-side routing feature until a patch is applied. Restrict access to the client-side router module to minimize the risk of exploitation. Avoid using unsanitized name attributes in iframe tags within the affected API endpoints until the issue is resolved.