CVE-2026-45028: XSS in Astro Server Islands
Plataforma
nodejs
Componente
astro
Corrigido em
6.1.10
CVE-2026-45028 affects Astro versions up to 6.1.10. This vulnerability allows an attacker to potentially inject malicious scripts via cross-site scripting (XSS) by exploiting a flaw in how server island props and slots parameters are encrypted. The vulnerability requires specific conditions to be met, including the use of server islands and two distinct islands within the application. A fix is available in version 6.1.11.
Impacto e Cenários de Ataquetraduzindo…
The core of this vulnerability lies in Astro's server islands feature and the AES-GCM encryption used to protect props and slots. Astro failed to properly bind the ciphertext to its intended component or parameter type. This means an attacker can intercept and replay an encrypted props value (p) as a slots value (s), or vice versa. Since slots contain raw, unescaped HTML, while props might contain user-controlled data, this replay attack can lead to XSS. Successful exploitation hinges on the application utilizing server islands and having at least two different server islands involved. The potential impact is the execution of arbitrary JavaScript in the user's browser, leading to data theft, session hijacking, or defacement of the application.
Contexto de Exploraçãotraduzindo…
CVE-2026-45028 was published on May 13, 2026. There is currently no indication that this vulnerability is being actively exploited in the wild. It is not listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is pending evaluation. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's description suggests it is potentially exploitable with moderate effort.
Inteligência de Ameaças
Status do Exploit
EPSS
0.02% (percentil 7%)
CISA SSVC
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation is to upgrade to Astro version 6.1.11 or later, which addresses the ciphertext binding issue. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all data passed to server islands, particularly within slots. While not a complete solution, this can reduce the attack surface. Additionally, review your Astro application's architecture to minimize the use of server islands where possible. There are no specific WAF rules or detection signatures readily available for this particular vulnerability, as it's a logic flaw rather than a direct exploit pattern. After upgrading, confirm the fix by testing the application with scenarios that previously triggered the vulnerability, ensuring props and slots are handled securely.
Como corrigirtraduzindo…
Actualice a la versión 6.1.10 o superior para mitigar la vulnerabilidad. Esta versión corrige el problema al vincular correctamente los ciphertexts a sus componentes y parámetros de destino, previniendo así la posibilidad de replay attacks y la consecuente inyección de código XSS.
Perguntas frequentestraduzindo…
What is CVE-2026-45028 — XSS in Astro Server Islands?
CVE-2026-45028 is a cross-site scripting (XSS) vulnerability in Astro versions up to 6.1.10. It allows attackers to potentially inject malicious scripts by exploiting a flaw in how server island props and slots are encrypted.
Am I affected by CVE-2026-45028 in Astro?
You are affected if you are using Astro version 6.1.10 or earlier and your application utilizes server islands with both props and slots, especially if you have multiple server islands interacting.
How do I fix CVE-2026-45028 in Astro?
Upgrade to Astro version 6.1.11 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement strict input validation and output encoding on data used in server islands.
Is CVE-2026-45028 being actively exploited?
As of now, there is no public evidence of CVE-2026-45028 being actively exploited in the wild. However, it's crucial to apply the fix to prevent potential future exploitation.
Where can I find the official Astro advisory for CVE-2026-45028?
Refer to the official Astro security advisory for CVE-2026-45028 on the Astro website or GitHub repository for the most up-to-date information and guidance.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Suba qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Você receberá um relatório de vulnerabilidades instantaneamente. Subir um arquivo é apenas o começo: com uma conta você terá monitoramento contínuo, alertas por Slack/email, vários projetos e relatórios com marca branca.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...