CVE-2026-45028: XSS in Astro Server Islands
Platform
nodejs
Component
astro
Fixed in
6.1.10
CVE-2026-45028 affects Astro versions up to 6.1.10. This vulnerability allows an attacker to potentially inject malicious scripts via cross-site scripting (XSS) by exploiting a flaw in how server island props and slots parameters are encrypted. The vulnerability requires specific conditions to be met, including the use of server islands and two distinct islands within the application. A fix is available in version 6.1.11.
Impact and Attack Scenarios
The core of this vulnerability lies in Astro's server islands feature and the AES-GCM encryption used to protect props and slots. Astro failed to properly bind the ciphertext to its intended component or parameter type. This means an attacker can intercept and replay an encrypted props value (p) as a slots value (s), or vice versa. Since slots contain raw, unescaped HTML, while props might contain user-controlled data, this replay attack can lead to XSS. Successful exploitation hinges on the application utilizing server islands and having at least two different server islands involved. The potential impact is the execution of arbitrary JavaScript in the user's browser, leading to data theft, session hijacking, or defacement of the application.
Exploitation Context
CVE-2026-45028 was published on May 13, 2026. There is currently no indication that this vulnerability is being actively exploited in the wild. It is not listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is pending evaluation. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's description suggests it is potentially exploitable with moderate effort.
Threat Intelligence
Exploit Status
EPSS
0.02% (7% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation is to upgrade to Astro version 6.1.11 or later, which addresses the ciphertext binding issue. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all data passed to server islands, particularly within slots. While not a complete solution, this can reduce the attack surface. Additionally, review your Astro application's architecture to minimize the use of server islands where possible. There are no specific WAF rules or detection signatures readily available for this particular vulnerability, as it's a logic flaw rather than a direct exploit pattern. After upgrading, confirm the fix by testing the application with scenarios that previously triggered the vulnerability, ensuring props and slots are handled securely.
How to fix
Actualice a la versión 6.1.10 o superior para mitigar la vulnerabilidad. Esta versión corrige el problema al vincular correctamente los ciphertexts a sus componentes y parámetros de destino, previniendo así la posibilidad de replay attacks y la consecuente inyección de código XSS.
Frequently asked questions
What is CVE-2026-45028 — XSS in Astro Server Islands?
CVE-2026-45028 is a cross-site scripting (XSS) vulnerability in Astro versions up to 6.1.10. It allows attackers to potentially inject malicious scripts by exploiting a flaw in how server island props and slots are encrypted.
Am I affected by CVE-2026-45028 in Astro?
You are affected if you are using Astro version 6.1.10 or earlier and your application utilizes server islands with both props and slots, especially if you have multiple server islands interacting.
How do I fix CVE-2026-45028 in Astro?
Upgrade to Astro version 6.1.11 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement strict input validation and output encoding on data used in server islands.
Is CVE-2026-45028 being actively exploited?
As of now, there is no public evidence of CVE-2026-45028 being actively exploited in the wild. However, it's crucial to apply the fix to prevent potential future exploitation.
Where can I find the official Astro advisory for CVE-2026-45028?
Refer to the official Astro security advisory for CVE-2026-45028 on the Astro website or GitHub repository for the most up-to-date information and guidance.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...