Astro's server source code is exposed to the public if sourcemaps are enabled

Description

A bug in the build process allows any unauthenticated user to read parts of the server source code.

Recommendation

Update the astro package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 5.0.0-alpha.0, < 5.0.8

  <= 4.16.17**

• Patched version(s): **5.0.8

  4.16.18**

References

• GHSA-49w6-73cw-chjr
• CVE-2024-56159
• CWE-219
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• @workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled - CVE-2024-51753
• webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
• happy-dom allows for server side code to be executed by a <script> tag - CVE-2024-51757
• @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled - CVE-2024-51752

Tags:

npm

astro