CVE-2024-56159

Published: Dic 19, 2024 Last Modified: Nov 25, 2025 EU-VD ID: EUVD-2024-3552 Aliases: GHSA-49w6-73cw-chjr

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

MEDIUM 5,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: none

Availability: none

Description

AI Translation Available

Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the `dist/client` (referred to as `config.build.client` in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains `.map` files corresponding to the code that runs on the server. All **server-output** projects on Astro 5 versions **v5.0.3** through **v5.0.7**, that have **sourcemaps enabled**, either directly or through an add-on such as `sentry`, are affected. The fix for **server-output** projects was released in **[email protected]**. Additionally, all **static-output** projects built using Astro 4 versions **4.16.17 or older**, or Astro 5 versions **5.0.8 or older**, that have **sourcemaps enabled** are also affected. The fix for **static-output** projects was released in **[email protected]**, and backported to Astro v4 in **[email protected]**. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for **server-output** projects was released in **[email protected]**, and the fix for **static-output** projects was released in **[email protected]** and backported to Astro v4 in **[email protected]**. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.

AI Generated Translation

Astro è un framework web per siti web basati sui contenuti. Un bug nel processo di build consente a qualsiasi utente non autenticato di leggere parti del codice sorgente del server. Durante la build, insieme agli asset client come file CSS e font, i file sourcemap **per il codice del server** vengono spostati in una cartella accessibile pubblicamente. Qualsiasi parte esterna può leggerli tramite una richiesta HTTP GET non autorizzata allo stesso server che ospita il resto del sito web. Sebbene alcuni file del server siano hashati, rendendo il loro accesso meno ovvio, i file corrispondenti al router del file system (quelli in `src/pages`) sono nominati in modo prevedibile. Ad esempio, il file sourcemap per `src/pages/index.astro` viene chiamato `dist/client/pages/index.astro.mjs.map`. Questa vulnerabilità è la causa principale del problema #12703, che collega a un semplice progetto su Stackblitz che dimostra la vulnerabilità. Durante il build, osserva il contenuto della cartella `dist/client` (indicata come `config.build.client` nel codice Astro). Tutti i server Astro rendono questa cartella accessibile al pubblico senza alcuna autenticazione. Contiene file `.map` corrispondenti al codice che viene eseguito sul server. Tutti i progetti **server-output** su Astro nelle versioni **v5.0.3** fino a **v5.0.7**, che hanno **sourcemaps abilitati**, direttamente o tramite un plugin come `sentry`, sono interessati. La correzione per i progetti **server-output** è stata rilasciata in **[email protected]**. Inoltre, tutti i progetti **static-output** costruiti con Astro nelle versioni **4.16.17 o precedenti** o nelle versioni **5.0.8 o precedenti** che hanno **sourcemaps abilitati** sono anch'essi vulnerabili. La correzione per i progetti **static-output** è stata rilasciata in **[email protected]**, e backportata ad Astro v4 in **[email protected]**. L'impatto immediato riguarda il codice sorgente. Nessun segreto o variabile di ambiente viene esposto a meno che non siano presenti letteralmente nel codice sorgente. Non vi è alcuna perdita immediata di integrità del server vulnerabile. Tuttavia, è possibile scoprire successivamente un'altra vulnerabilità tramite il codice sorgente rivelato. Non vi è un impatto immediato sulla disponibilità del server vulnerabile. Tuttavia, la presenza di un'espressione regolare insicura, ad esempio, può essere rapidamente sfruttata per compromettere successivamente la disponibilità. La correzione per i progetti **server-output** è stata rilasciata in **[email protected]**, e quella per i progetti **static-output** è stata rilasciata in **[email protected]** e backportata ad Astro v4 in **[email protected]**. Si consiglia agli utenti di aggiornare immediatamente se utilizzano sourcemaps o un'integrazione che abilita i sourcemaps.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0113

Percentile

0,8th

Updated

EPSS Score Trend (Last 90 Days)

219

Storage of File with Sensitive Data Under Web Root

Draft

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality

Potential Impacts:

Read Application Data

Applicable Platforms

Technologies: Web Based, Web Server

View CWE Details

Application

Astro by Astro

Product Information

Vendor Astro

Product Astro

Version Range Affected

To 4.16.18 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Astro by Astro

Product Information

Vendor Astro

Product Astro

Version Range Affected

From 5.0.0 (inclusive)

To 5.0.8 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/withastro/astro/security/advisories/GHSA…

https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr

https://github.com/getsentry/sentry-javascript/blob/develop…

https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/…

https://github.com/withastro/astro/blob/176fe9f113fd912f9b6…

https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2…

https://github.com/withastro/astro/issues/12703

https://github.com/withastro/astro/security/advisories/GHSA…

https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr

CVE-2024-56159

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Storage of File with Sensitive Data Under Web Root

Common Consequences

Applicable Platforms

Astro by Astro

Product Information

Astro by Astro

Product Information

Iscriviti alla newsletter