Astro's server source code is exposed to the public if sourcemaps are enabled
- Severity:
- High
Description
A bug in the build process allows any unauthenticated user to read parts of the server source code.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0-alpha.0, < 5.0.8 <= 4.16.17** Patched version(s): **5.0.8 4.16.18**
References
Related Issues
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
- webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
- webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins - CVE-2026-6402
- @workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled - CVE-2024-51753
You might also like:
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 27, 2025


