Astro’s server‑side rendering code, before version 6.1.6, sanitized values that are inserted into inline <script> tags via the define:vars directive with a case‑sensitive regular expression. Web browsers treat the closing </script> tag case‑insensitively and also accept variations that contain whitespace or a slash before the closing greater‑than sign, such as </Script>, </script >, or </script/>. An attacker can take advantage of this mismatch to inject arbitrary JavaScript or HTML into the rendered page, leading to classic cross‑site scripting that can hijack user sessions, steal credentials, or modify page content. The vulnerability does not expose system internals or allow arbitrary OS command execution, but it permits arbitrary script execution in the victim’s browser context, which is a high‑impact attack vector for web applications.

The affected product is withastro:astro, any installation running a version older than 6.1.6. The flaw exists in Astro’s server‑side rendering pipeline, specifically the function that handles the define:vars directive. All Node.js environments that are serving Astro templates and have not upgraded past 6.1.6 remain vulnerable; this includes any web sites or applications that build or render pages with Astro and expose user‑controlled data to the define:vars directive.

The CVSS score is 6.1, indicating a moderate severity. The EPSS score is less than 1%, showing a very low probability of exploitation, and the bug is not listed in CISA’s KEV catalog. Exploitation requires that an attacker be able to supply data that Astro will inject into a <script> tag via define:vars, which usually means there is some user input or a configuration file that is rendered without proper validation. If such an input source exists, the attacker can inject the crafted closing tag variants and run arbitrary client‑side code; otherwise, the easily mitigable nature of the issue keeps the risk moderate.