CVE-2024-56140 Information
Description
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the security.checkOrigin configuration option is set to true Astro middleware will perform a CSRF check. However a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in Content-Type. Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case CSRF is not blocked as expected. Additionally the Content-Type header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Reference
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts
https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de
https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw
Astro
is
a
web
framework
for
content-driven
websites.
In
affected
versions
a
bug
in
Astro’s
CSRF-protection
middleware
allows
requests
to
bypass
CSRF
checks.
When
the
security.checkOrigin
configuration
option
is
set
to
true
Astro
middleware
will
perform
a
CSRF
check.
However
a
vulnerability
exists
that
can
bypass
this
security.
A
semicolon-delimited
parameter
is
allowed
after
the
type
in
Content-Type.
Web
browsers
will
treat
a
Content-Type
such
as
application/x-www-form-urlencoded; abc
as
a
simple request
and
will
not
perform
preflight
validation.
In
this
case
CSRF
is
not
blocked
as
expected.
Additionally
the
Content-Type
header
is
not
required
for
a
request.
This
issue
has
been
addressed
in
version
4.16.17
and
all
users
are
advised
to
upgrade.
There
are
no
known
workarounds
for
this
vulnerability.