Skip to content

astro-5.18.1.tgz: 4 vulnerabilities (highest severity is: 7.5) #189

Open
Open
astro-5.18.1.tgz: 4 vulnerabilities (highest severity is: 7.5)#189
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Apr 1, 2026
Vulnerable Library - astro-5.18.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.18.1.tgz

Path to dependency file: /tutorials/video-javascript-multiparty/package.json

Path to vulnerable library: /tutorials/video-javascript-multiparty/package.json,/sources/webxr-javascript-workshop/package.json,/sources/video_learning_server-node-deploy/package.json,/tutorials/video_learning_server-node-deploy/package.json,/toolbar-app/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/verify-backend/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/video-javascript-signaling/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/video-javascript-signaling/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (astro version) Remediation Possible**
CVE-2026-42570 High 7.5 devalue-5.6.4.tgz Transitive N/A*
CVE-2026-41305 Medium 6.1 postcss-8.5.6.tgz Transitive 6.0.0
CVE-2026-41067 Medium 6.1 astro-5.18.1.tgz Direct 6.1.6
CVE-2026-45028 Medium 5.3 astro-5.18.1.tgz Direct 6.1.10

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-42570

Vulnerable Library - devalue-5.6.4.tgz

Gets the job done when JSON.stringify can't

Library home page: https://registry.npmjs.org/devalue/-/devalue-5.6.4.tgz

Path to dependency file: /tutorials/video-javascript-multiparty_archiving/package.json

Path to vulnerable library: /tutorials/video-javascript-multiparty_archiving/package.json,/tutorials/verify-backend/package.json,/toolbar-app/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/webxr-javascript-workshop/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/voice-node-app_to_app/package.json,/tutorials/video-javascript-signaling/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/video_learning_server-node-deploy/package.json,/tutorials/voice-javascript-workshop/package.json,/sources/video-javascript-debugging/package.json,/sources/video-javascript-signaling/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/webxr-javascript-workshop/package.json,/sources/video_learning_server-node-deploy/package.json,/tutorials/video-javascript-multiparty/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/package.json

Dependency Hierarchy:

  • astro-5.18.1.tgz (Root Library)
    • devalue-5.6.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

"devalue.parse" could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.

Publish Date: 2026-05-14

URL: CVE-2026-42570

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2026-41305

Vulnerable Library - postcss-8.5.6.tgz

Tool for transforming styles with JS plugins

Library home page: https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz

Path to dependency file: /sources/voice-javascript-workshop/package.json

Path to vulnerable library: /sources/voice-javascript-workshop/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/video-javascript-one_to_one/package.json,/toolbar-app/package.json,/tutorials/verify-backend/package.json,/tutorials/voice-javascript-workshop/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/tutorials/video-javascript-signaling/package.json,/tutorials/voice-node-app_to_app/package.json,/tutorials/webxr-javascript-workshop/package.json,/sources/webxr-javascript-workshop/package.json,/tutorials/video-javascript-debugging/package.json,/sources/video_learning_server-node-deploy/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/sources/video-javascript-one_to_one/package.json,/sources/video-javascript-signaling/package.json,/tutorials/video_learning_server-node-deploy/package.json,/tutorials/video-javascript-multiparty/package.json,/tutorials/package.json

Dependency Hierarchy:

  • astro-5.18.1.tgz (Root Library)
    • vite-6.4.2.tgz
      • postcss-8.5.6.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape "</style>" sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML "<style>" tags, "</style>" in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.

Publish Date: 2026-04-24

URL: CVE-2026-41305

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qx2v-qp2m-jg93

Release Date: 2026-04-24

Fix Resolution (postcss): 8.5.10

Direct dependency fix Resolution (astro): 6.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2026-41067

Vulnerable Library - astro-5.18.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.18.1.tgz

Path to dependency file: /tutorials/video-javascript-multiparty/package.json

Path to vulnerable library: /tutorials/video-javascript-multiparty/package.json,/sources/webxr-javascript-workshop/package.json,/sources/video_learning_server-node-deploy/package.json,/tutorials/video_learning_server-node-deploy/package.json,/toolbar-app/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/verify-backend/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/video-javascript-signaling/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/video-javascript-signaling/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json

Dependency Hierarchy:

  • astro-5.18.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /</script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-04-24

URL: CVE-2026-41067

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j687-52p2-xcff

Release Date: 2026-04-24

Fix Resolution: 6.1.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2026-45028

Vulnerable Library - astro-5.18.1.tgz

Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Library home page: https://registry.npmjs.org/astro/-/astro-5.18.1.tgz

Path to dependency file: /tutorials/video-javascript-multiparty/package.json

Path to vulnerable library: /tutorials/video-javascript-multiparty/package.json,/sources/webxr-javascript-workshop/package.json,/sources/video_learning_server-node-deploy/package.json,/tutorials/video_learning_server-node-deploy/package.json,/toolbar-app/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/verify-backend/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/video-javascript-signaling/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/video-javascript-signaling/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json

Dependency Hierarchy:

  • astro-5.18.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10.

Publish Date: 2026-05-13

URL: CVE-2026-45028

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xr5h-phrj-8vxv

Release Date: 2026-05-14

Fix Resolution: 6.1.10

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions