Description
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10.
Published: 2026-05-13
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Astro versions older than 6.1.10 employed AES‑GCM to encrypt server island props and slots, but the ciphertext was not tied to the specific component or parameter type. This allowed an attacker to replay a ciphertext created for a prop of one component as the slot value of another component, or vice versa. When the attacked component’s slot contains unsanitized raw HTML while the prop potentially contains user‑controlled content, this swap can inject malicious script into the page, resulting in cross‑site scripting. The vulnerability requires that both server islands share the same key name for a prop and a slot and that the attacker can fully control the value of the overlapping prop in a dynamically rendered page.

Affected Systems

The issue affects any project built with the Astro framework using version 6.1.9 or earlier. Specifically, applications that employ server islands and where two distinct components share a key name for a prop and a slot are at risk. The vulnerability is not present once the project is upgraded to Astro 6.1.10 or later.

Risk and Exploitability

The CVSS score of 2.9 indicates a low overall severity. An EPSS score of <1% (0.00023) shows a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating no known public exploitation. However, exploitation is feasible if an application satisfies the conditions above and an attacker can inject a controlled value into the vulnerable prop. Successful replay can lead to client‑side XSS, which may be used for phishing, credential theft, or defacement. The risk is confined to the boundaries of the affected component, but any compromised content can affect all viewers of the page.

Generated by OpenCVE AI on May 14, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Astro to version 6.1.10 or later to resolve the encryption flaw.
  • Review server island component configurations to ensure no overlapping key names between props and slots; rename conflicting keys.
  • Validate that any data injected into slots is properly escaped or sanitized to mitigate XSS potential.

Generated by OpenCVE AI on May 14, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xr5h-phrj-8vxv Astro: Server island encrypted parameters vulnerable to cross-component replay
History

Thu, 14 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Astro
Astro astro
Weaknesses CWE-79
CPEs cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*
Vendors & Products Astro
Astro astro
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 13 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Withastro
Withastro astro
Vendors & Products Withastro
Withastro astro

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10.
Title Astro: Server island encrypted parameters vulnerable to cross-component replay
Weaknesses CWE-323
References
Metrics cvssV4_0

{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Astro Astro
Withastro Astro
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:33:24.630Z

Reserved: 2026-05-08T16:58:28.897Z

Link: CVE-2026-45028

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:17:00.173

Modified: 2026-05-14T13:28:32.990

Link: CVE-2026-45028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:45:23Z

Weaknesses