Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Severity:: Medium

Description

The @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel’s platform-level path restrictions entirely.

Recommendation

Update the @astrojs/vercel package to the latest compatible version. Followings are version details:

Affected version(s): < 10.0.2
Patched version(s): 10.0.2

References

GHSA-mr6q-rp88-fx84
CVE-2026-33768
CWE-441
CWE-862
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths - CVE-2026-39320
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - CVE-2026-2950
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash.unset - CVE-2026-2950
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-es - CVE-2026-2950

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; @astrojs/vercel

Anything's wrong? Let us know Last updated on March 26, 2026