Astro's server source code is exposed to the public if sourcemaps are enabled
- Severity:
- High
Description
A bug in the build process allows any unauthenticated user to read parts of the server source code.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
Affected version(s): **<= 4.16.17 >= 5.0.0-alpha.0, <= 5.0.7** Patched version(s): **4.16.18 5.0.8**
References
Related Issues
- Astro allows unauthorized third-party images in _image endpoint - CVE-2025-55303
- tiny-secp256k1 allows for verify() bypass when running in bundled environment - CVE-2024-49365
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) - CVE-2025-27597
- Atro CSRF Middleware Bypass (security.checkOrigin) - CVE-2024-56140
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on December 19, 2024