CVE-2024-56140 (GCVE-0-2024-56140)
Vulnerability from cvelistv5 – Published: 2024-12-18 20:41 – Updated: 2024-12-18 21:03
VLAI?
Summary
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.9 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56140",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-18T21:03:26.338528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T21:03:36.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework for content-driven websites. In affected versions a bug in Astro\u2019s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T20:41:06.806Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw"
},
{
"name": "https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests"
},
{
"name": "https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts"
}
],
"source": {
"advisory": "GHSA-c4pw-33h3-35xw",
"discovery": "UNKNOWN"
},
"title": "Bypass of CSRF Middleware in Astro"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56140",
"datePublished": "2024-12-18T20:41:06.806Z",
"dateReserved": "2024-12-16T17:30:30.068Z",
"dateUpdated": "2024-12-18T21:03:36.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Astro is a web framework for content-driven websites. In affected versions a bug in Astro\\u2019s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"Astro es un framework para sitios web basados en contenido. En las versiones afectadas, un error en el middleware de protecci\\u00f3n CSRF de Astro permite que las solicitudes eludan las comprobaciones CSRF. Cuando la opci\\u00f3n de configuraci\\u00f3n `security.checkOrigin` se establece en `true`, el middleware Astro realizar\\u00e1 una comprobaci\\u00f3n CSRF. Sin embargo, existe una vulnerabilidad que puede eludir esta seguridad. Se permite un par\\u00e1metro delimitado por punto y coma despu\\u00e9s del tipo en `Content-Type`. Los navegadores web tratar\\u00e1n un `Content-Type` como `application/x-www-form-urlencoded; abc` como una `solicitud simple` y no realizar\\u00e1n una validaci\\u00f3n previa. En este caso, CSRF no se bloquea como se esperaba. Adem\\u00e1s, el encabezado `Content-Type` no es necesario para una solicitud. Este problema se ha solucionado en la versi\\u00f3n 4.16.17 y se recomienda a todos los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad.\"}]",
"id": "CVE-2024-56140",
"lastModified": "2024-12-18T21:15:08.353",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 4.2}]}",
"published": "2024-12-18T21:15:08.353",
"references": "[{\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw\", \"source\": \"security-advisories@github.com\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-56140\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-18T21:15:08.353\",\"lastModified\":\"2025-11-25T13:42:59.937\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Astro is a web framework for content-driven websites. In affected versions a bug in Astro\u2019s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Astro es un framework para sitios web basados en contenido. En las versiones afectadas, un error en el middleware de protecci\u00f3n CSRF de Astro permite que las solicitudes eludan las comprobaciones CSRF. Cuando la opci\u00f3n de configuraci\u00f3n `security.checkOrigin` se establece en `true`, el middleware Astro realizar\u00e1 una comprobaci\u00f3n CSRF. Sin embargo, existe una vulnerabilidad que puede eludir esta seguridad. Se permite un par\u00e1metro delimitado por punto y coma despu\u00e9s del tipo en `Content-Type`. Los navegadores web tratar\u00e1n un `Content-Type` como `application/x-www-form-urlencoded; abc` como una `solicitud simple` y no realizar\u00e1n una validaci\u00f3n previa. En este caso, CSRF no se bloquea como se esperaba. Adem\u00e1s, el encabezado `Content-Type` no es necesario para una solicitud. Este problema se ha solucionado en la versi\u00f3n 4.16.17 y se recomienda a todos los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"4.16.17\",\"matchCriteriaId\":\"EC2DFB09-8B1E-4AA4-AADA-D16A2D4423C4\"}]}]}],\"references\":[{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-56140\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-18T21:03:26.338528Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-18T21:03:29.926Z\"}}], \"cna\": {\"title\": \"Bypass of CSRF Middleware in Astro\", \"source\": {\"advisory\": \"GHSA-c4pw-33h3-35xw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"withastro\", \"product\": \"astro\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.16.17\"}]}], \"references\": [{\"url\": \"https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw\", \"name\": \"https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de\", \"name\": \"https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts\", \"name\": \"https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Astro is a web framework for content-driven websites. In affected versions a bug in Astro\\u2019s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-12-18T20:41:06.806Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-56140\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-18T21:03:36.201Z\", \"dateReserved\": \"2024-12-16T17:30:30.068Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-12-18T20:41:06.806Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…