CVE-2024-56140
CVSS V2 None
CVSS V3 None
Description
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Overview
- CVE ID
- CVE-2024-56140
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-12-18T20:41:06.806Z
- Last Modified Date
- 2024-12-18T21:03:36.201Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw | x_refsource_CONFIRM |
https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de | x_refsource_MISC |
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests | x_refsource_MISC |
https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts | x_refsource_MISC |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-56140 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56140 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-12-19 13:11:12 | Added to TrackCVE |