Astro's server source code is exposed to the public if sourcemaps are enabled

Description

A bug in the build process allows any unauthenticated user to read parts of the server source code.

Recommendation

Update the astro package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 5.0.0-alpha.0, < 5.0.8

  <= 4.16.17**

• Patched version(s): **5.0.8

  4.16.18**

References

• GHSA-49w6-73cw-chjr
• CVE-2024-56159
• CWE-219
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
• @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled - CVE-2024-51752
• @workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled - CVE-2024-51753
• happy-dom allows for server side code to be executed by a <script> tag - CVE-2024-51757

Tags:

npm

astro