Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit c7ee3660f6e2 · 2025-11-27T08:03:42.000Z
GHSA-49w6-73cw-chjr GHSA-c4pw-33h3-35xw
diff --git a/advisories/github-reviewed/2024/12/GHSA-49w6-73cw-chjr/GHSA-49w6-73cw-chjr.json b/advisories/github-reviewed/2024/12/GHSA-49w6-73cw-chjr/GHSA-49w6-73cw-chjr.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-49w6-73cw-chjr",
-  "modified": "2024-12-19T21:38:47Z",
+  "modified": "2025-11-27T08:02:36Z",
   "published": "2024-12-19T15:12:33Z",
   "aliases": [
     "CVE-2024-56159"
@@ -32,10 +32,7 @@
             }
           ]
         }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 5.0.7"
-      }
+      ]
     },
     {
       "package": {
diff --git a/advisories/github-reviewed/2024/12/GHSA-c4pw-33h3-35xw/GHSA-c4pw-33h3-35xw.json b/advisories/github-reviewed/2024/12/GHSA-c4pw-33h3-35xw/GHSA-c4pw-33h3-35xw.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c4pw-33h3-35xw",
-  "modified": "2024-12-18T21:52:48Z",
+  "modified": "2025-11-27T08:01:13Z",
   "published": "2024-12-18T15:02:37Z",
   "aliases": [
     "CVE-2024-56140"
   ],
   "summary": "Atro CSRF Middleware Bypass (security.checkOrigin)",
-  "details": "### Summary\n\nA bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.\n\n### Details\n\nWhen the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)\n\nFor example, with the following Astro configuration:\n\n```js\n// astro.config.mjs\nimport { defineConfig } from 'astro/config';\nimport node from '@astrojs/node';\n\nexport default defineConfig({\n\toutput: 'server',\n\tsecurity: { checkOrigin: true },\n\tadapter: node({ mode: 'standalone' }),\n});\n```\n\nA request like the following would be blocked if made from a different origin:\n\n```js\n// fetch API or <form action=\"https://test.example.com/\" method=\"POST\">\nfetch('https://test.example.com/', {\n\tmethod: 'POST',\n\tcredentials: 'include',\n\tbody: 'a=b',\n\theaders: { 'Content-Type': 'application/x-www-form-urlencoded' },\n});\n// => Cross-site POST form submissions are forbidden\n```\n\nHowever, a vulnerability exists that can bypass this security.\n\n#### Pattern 1: Requests with a semicolon after the `Content-Type`\n\nA semicolon-delimited parameter is allowed after the type in `Content-Type`.\n\nWeb browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a [simple request](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) and will not perform preflight validation. In this case, CSRF is not blocked as expected.\n\n```js\nfetch('https://test.example.com', {\n\tmethod: 'POST',\n\tcredentials: 'include',\n\tbody: 'test',\n\theaders: { 'Content-Type': 'application/x-www-form-urlencoded; abc' },\n});\n// => Server-side functions are executed (Response Code 200).\n```\n\n#### Pattern 2: Request without `Content-Type` header\n\nThe `Content-Type` header is not required for a request. The following examples are sent without a `Content-Type` header, resulting in CSRF.\n\n```js\n// Pattern 2.1 Request without body\nfetch('http://test.example.com', { method: 'POST', credentials: 'include' });\n\n// Pattern 2.2 Blob object without type\nfetch('https://test.example.com', {\n\tmethod: 'POST',\n\tcredentials: 'include',\n\tbody: new Blob(['a=b'], {}),\n});\n```\n\n### Impact\n\nBypass CSRF protection implemented with CSRF middleware.\n\n> [!Note]\n> Even with `credentials: 'include'`, browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.\n",
+  "details": "### Summary\n\nA bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.\n\n### Details\n\nWhen the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)\n\nFor example, with the following Astro configuration:\n\n```js\n// astro.config.mjs\nimport { defineConfig } from 'astro/config';\nimport node from '@astrojs/node';\n\nexport default defineConfig({\n\toutput: 'server',\n\tsecurity: { checkOrigin: true },\n\tadapter: node({ mode: 'standalone' }),\n});\n```\n\nA request like the following would be blocked if made from a different origin:\n\n```js\n// fetch API or <form action=\"https://test.example.com/\" method=\"POST\">\nfetch('https://test.example.com/', {\n\tmethod: 'POST',\n\tcredentials: 'include',\n\tbody: 'a=b',\n\theaders: { 'Content-Type': 'application/x-www-form-urlencoded' },\n});\n// => Cross-site POST form submissions are forbidden\n```\n\nHowever, a vulnerability exists that can bypass this security.\n\n#### Pattern 1: Requests with a semicolon after the `Content-Type`\n\nA semicolon-delimited parameter is allowed after the type in `Content-Type`.\n\nWeb browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a [simple request](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) and will not perform preflight validation. In this case, CSRF is not blocked as expected.\n\n```js\nfetch('https://test.example.com', {\n\tmethod: 'POST',\n\tcredentials: 'include',\n\tbody: 'test',\n\theaders: { 'Content-Type': 'application/x-www-form-urlencoded; abc' },\n});\n// => Server-side functions are executed (Response Code 200).\n```\n\n#### Pattern 2: Request without `Content-Type` header\n\nThe `Content-Type` header is not required for a request. The following examples are sent without a `Content-Type` header, resulting in CSRF.\n\n```js\n// Pattern 2.1 Request without body\nfetch('http://test.example.com', { method: 'POST', credentials: 'include' });\n\n// Pattern 2.2 Blob object without type\nfetch('https://test.example.com', {\n\tmethod: 'POST',\n\tcredentials: 'include',\n\tbody: new Blob(['a=b'], {}),\n});\n```\n\n### Impact\n\nBypass CSRF protection implemented with CSRF middleware.\n\n> [!Note]\n> Even with `credentials: 'include'`, browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.",
   "severity": [
     {
       "type": "CVSS_V3",

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-49w6-73cw-chjr",`
`4`		`- "modified": "2024-12-19T21:38:47Z",`
	`4`	`+ "modified": "2025-11-27T08:02:36Z",`
`5`	`5`	`"published": "2024-12-19T15:12:33Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2024-56159"`
`@@ -32,10 +32,7 @@`
`32`	`32`	`}`
`33`	`33`	`]`
`34`	`34`	`}`
`35`		`- ],`
`36`		`- "database_specific": {`
`37`		`- "last_known_affected_version_range": "<= 5.0.7"`
`38`		`- }`
	`35`	`+ ]`
`39`	`36`	`},`
`40`	`37`	`{`
`41`	`38`	`"package": {`