PT-2026-27487 · Astro · Astro+1
Jp-Soba
·
Published
2026-03-24
·
Updated
2026-03-26
·
CVE-2026-33768
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Astro versions prior to 10.0.2
Description
Astro, a web framework, contains a flaw in the @astrojs/vercel serverless entrypoint. Versions prior to 10.0.2 do not authenticate requests using the
x-astro-path header or x astro path query parameter, allowing attackers to bypass Vercel's path restrictions. This bypass affects all HTTP methods, including POST, PUT, and DELETE, as the original method and body are preserved. An example of exploitation involves bypassing firewall rules by sending a request to /api/health with the x astro path parameter set to a restricted path, such as /admin/delete-user.Recommendations
Update to Astro version 10.0.2 or later.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Astrojs/Vercel
Astro