CVE-2024-56140

Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests	Technical Description
https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts	Product
https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de	Patch
https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2024-12-18 21:15

Updated : 2025-11-25 13:42

NVD link : CVE-2024-56140

Mitre link : CVE-2024-56140

CVE.ORG link : CVE-2024-56140

JSON object : View

Products Affected

astro

astro

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2024-56140", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-12-18T21:15:08.353", "references": [{"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Astro is a web framework for content-driven websites. In affected versions a bug in Astro\u2019s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Astro es un framework para sitios web basados en contenido. En las versiones afectadas, un error en el middleware de protecci\u00f3n CSRF de Astro permite que las solicitudes eludan las comprobaciones CSRF. Cuando la opci\u00f3n de configuraci\u00f3n `security.checkOrigin` se establece en `true`, el middleware Astro realizar\u00e1 una comprobaci\u00f3n CSRF. Sin embargo, existe una vulnerabilidad que puede eludir esta seguridad. Se permite un par\u00e1metro delimitado por punto y coma despu\u00e9s del tipo en `Content-Type`. Los navegadores web tratar\u00e1n un `Content-Type` como `application/x-www-form-urlencoded; abc` como una `solicitud simple` y no realizar\u00e1n una validaci\u00f3n previa. En este caso, CSRF no se bloquea como se esperaba. Adem\u00e1s, el encabezado `Content-Type` no es necesario para una solicitud. Este problema se ha solucionado en la versi\u00f3n 4.16.17 y se recomienda a todos los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad."}], "lastModified": "2025-11-25T13:42:59.937", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "EC2DFB09-8B1E-4AA4-AADA-D16A2D4423C4", "versionEndExcluding": "4.16.17"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}