Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-45028: XSS in Astro Server Islands
traduction en cours…Plateforme
nodejs
Composant
astro
Corrigé dans
6.1.10
CVE-2026-45028 affects Astro versions up to 6.1.10. This vulnerability allows an attacker to potentially inject malicious scripts via cross-site scripting (XSS) by exploiting a flaw in how server island props and slots parameters are encrypted. The vulnerability requires specific conditions to be met, including the use of server islands and two distinct islands within the application. A fix is available in version 6.1.11.
Impact et Scénarios d'Attaquetraduction en cours…
The core of this vulnerability lies in Astro's server islands feature and the AES-GCM encryption used to protect props and slots. Astro failed to properly bind the ciphertext to its intended component or parameter type. This means an attacker can intercept and replay an encrypted props value (p) as a slots value (s), or vice versa. Since slots contain raw, unescaped HTML, while props might contain user-controlled data, this replay attack can lead to XSS. Successful exploitation hinges on the application utilizing server islands and having at least two different server islands involved. The potential impact is the execution of arbitrary JavaScript in the user's browser, leading to data theft, session hijacking, or defacement of the application.
Contexte d'Exploitationtraduction en cours…
CVE-2026-45028 was published on May 13, 2026. There is currently no indication that this vulnerability is being actively exploited in the wild. It is not listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is pending evaluation. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's description suggests it is potentially exploitable with moderate effort.
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.02% (percentile 7%)
CISA SSVC
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation is to upgrade to Astro version 6.1.11 or later, which addresses the ciphertext binding issue. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all data passed to server islands, particularly within slots. While not a complete solution, this can reduce the attack surface. Additionally, review your Astro application's architecture to minimize the use of server islands where possible. There are no specific WAF rules or detection signatures readily available for this particular vulnerability, as it's a logic flaw rather than a direct exploit pattern. After upgrading, confirm the fix by testing the application with scenarios that previously triggered the vulnerability, ensuring props and slots are handled securely.
Comment corrigertraduction en cours…
Actualice a la versión 6.1.10 o superior para mitigar la vulnerabilidad. Esta versión corrige el problema al vincular correctamente los ciphertexts a sus componentes y parámetros de destino, previniendo así la posibilidad de replay attacks y la consecuente inyección de código XSS.
Questions fréquentestraduction en cours…
What is CVE-2026-45028 — XSS in Astro Server Islands?
CVE-2026-45028 is a cross-site scripting (XSS) vulnerability in Astro versions up to 6.1.10. It allows attackers to potentially inject malicious scripts by exploiting a flaw in how server island props and slots are encrypted.
Am I affected by CVE-2026-45028 in Astro?
You are affected if you are using Astro version 6.1.10 or earlier and your application utilizes server islands with both props and slots, especially if you have multiple server islands interacting.
How do I fix CVE-2026-45028 in Astro?
Upgrade to Astro version 6.1.11 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement strict input validation and output encoding on data used in server islands.
Is CVE-2026-45028 being actively exploited?
As of now, there is no public evidence of CVE-2026-45028 being actively exploited in the wild. However, it's crucial to apply the fix to prevent potential future exploitation.
Where can I find the official Astro advisory for CVE-2026-45028?
Refer to the official Astro security advisory for CVE-2026-45028 on the Astro website or GitHub repository for the most up-to-date information and guidance.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Essayez maintenant — sans compte
Téléchargez n'importe quel manifeste (composer.lock, package-lock.json, liste de plugins WordPress…) ou collez votre liste de composants. Vous obtiendrez un rapport de vulnérabilités instantanément. Le téléchargement d'un fichier n'est qu'un début : avec un compte vous bénéficiez d'une surveillance continue, d'alertes Slack/email, de multi-projets et de rapports en marque blanche.
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...