CVE-2024-56159

Name of the Vulnerable Software and Affected Versions Astro versions v5.0.3 through v5.0.7 Astro versions 4.16.17 and earlier Astro versions 5.0.8 and earlier

Description A flaw exists in the build process of Astro, a web framework for content-driven websites, allowing unauthenticated users to access parts of the server source code. During the build process, sourcemap files for server code are moved to a publicly accessible folder. These files can be retrieved via an unauthorized HTTP GET request. While some server files are hashed, files related to the file system router in the src/pages directory are predictably named, such as dist/client/pages/index.astro.mjs.map for src/pages/index.astro. This issue is the root cause of issue #12703. The vulnerability affects all server-output projects on Astro 5 versions v5.0.3 through v5.0.7 with sourcemaps enabled, and all static-output projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.8 or older, with sourcemaps enabled. The impact is limited to source code exposure, but this could potentially lead to the discovery of further vulnerabilities. The presence of unsafe code, such as regular expressions, could be exploited.

Recommendations Update to astro@5.0.8 or later for server-output projects. Update to astro@5.0.9 or later for static-output projects. Update to astro@4.16.18 or later for Astro 4 static-output projects.