CVE-2024-56140

Name of the Vulnerable Software and Affected Versions Astro versions prior to 4.16.17

Description A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in Content-Type. Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the Content-Type header is not required for a request.

Recommendations For versions prior to 4.16.17, upgrade to version 4.16.17 or later to address the issue. As a temporary workaround, consider restricting the use of the security.checkOrigin configuration option until a patch is available. Avoid using the Content-Type header with a semicolon-delimited parameter in the affected API endpoints until the issue is resolved. Restrict access to the Astro middleware to minimize the risk of exploitation.