Blog
withastro/astro
The web framework for content-driven websites. ⭐️ Star to support our work!
#static-site-generator#blog#islands#components#node#browser#server#hybrid#universal#astro#static
スコア
65
/ 100
Star
59,319
Fork
3,448
Open Issue
101
サイズ
219MB
言語
TypeScript ★
最終push
0 日前
Docker
—
採点内訳
過去CVE 19件 (やや多い)
✓直近 push: 0 日前
✓得意言語 (TypeScript)
✓オープンissue 101件
✓大規模 (219MB)
—Docker 未対応
—50k–100k: 上級 (★59,319)
—※ 各項目の重みは「採点ルール」を参照。合計は 0 で底打ち。
過去の SecurityAdvisory (20 件)
- Server island encrypted parameters vulnerable to cross-component replay
- SSRF via redirect following in Cloudflare image-binding-transform endpoint (incomplete fix for GHSA-qpr4)
- XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass
- Cache Poisoning due to incorrect error handling when if-match header is malformed
- Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
- Memory exhaustion DoS due to missing request body size limit in Server Islands
- Remote allowlist bypass via unanchored matchPathname wildcard
- Full-Read SSRF in error rendering via Host: header injection
- Memory exhaustion DoS due to missing request body size limit in Server Actions
- SSRF due to missing allowlist enforcement in remote image inferSize
- bypass for CVE-2025-64765
- Cross Site Scripting in /_image endpoint in Astro Cloudflare adapter
- Arbitrary Local File Read in Astro Development Server
- Middleware authentication checks based on url.pathname can be bypassed via url encoded values
- Reflected XSS via the server islands feature
- Reflected XSS in Astro development server error page
- URL manipulation via unsanitized headers leads to path-based middleware protections bypass and potential SSRF/cache-poisoning + CVE-2025-61925 bypass
- Bypass of image proxy domain validation (CVE-2025-58179) - SSRF and potential XSS
- Validate Changesets workflow vulnerable to arbitrary code execution
- `X-Forwarded-Host` reflected with no validation