GHSA-2pvr-wf23-7pc7

Suggest an improvement
Source
https://github.com/advisories/GHSA-2pvr-wf23-7pc7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2pvr-wf23-7pc7/GHSA-2pvr-wf23-7pc7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2pvr-wf23-7pc7
Aliases
  • CVE-2026-54299
Published
2026-06-16T14:38:06Z
Modified
2026-06-16T14:45:07.629543376Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Astro: Host header SSRF in prerendered error page fetch
Details

Summary

Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response.

Who is affected

This affects SSR deployments that:

  1. Have a prerendered 404 or 500 page
  2. Use createRequestFromNodeRequest from astro/app/node with app.render() without overriding prerenderedErrorPageFetch — this includes custom servers built on the public API and third-party adapters

Not affected: - @astrojs/node >= 9.5.4 (reads error pages from disk) - @astrojs/cloudflare (uses the ASSETS binding) - The dev server (renders error pages in-process)

How it works

createRequestFromNodeRequest builds request.url from the raw Host / :authority header. The allowedDomains option is accepted but only gates X-Forwarded-For — it does not constrain the URL origin. (The public createRequest does fall back to localhost for unvalidated hosts; this internal builder did not.)

When app.render() encounters a 404 or 500 with a prerendered error route, default-handler.ts constructs the error page URL using the origin from request.url and fetches it via prerenderedErrorPageFetch, which defaults to global fetch. The response body is served to the client.

An attacker sends a request with Host: attacker-host:port, triggers an error (e.g., requesting a nonexistent path for a 404), and receives the response from the attacker-controlled host reflected back.

Remediation

The error page fetch origin is now validated against allowedDomains before use. When the host is validated, the original origin is preserved. Otherwise, it falls back to localhost. The fetch is also wrapped in a try/catch so that connection failures degrade gracefully to a plain error response.

Credit

5ud0 / Tarmo Technologies

Database specific 
{
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2026-06-16T14:38:06Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-918"
    ],
    "nvd_published_at": null
}
References

Affected packages

npm / astro

Package

Name
astro
View open source insights on deps.dev
Purl
pkg:npm/astro

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.4.6

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2pvr-wf23-7pc7/GHSA-2pvr-wf23-7pc7.json"