CVE Catalog

CVE-2026-54299

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

9th percentile - higher than 9% of all known CVEs

Summary

Astro is a web framework that prior to version 6.4.6 had an issue with SSR apps using prerendered error pages. When an error occurred, these pages were fetched over HTTP, allowing an attacker to direct the request to an arbitrary host.

Risk Assessment

The lack of validation for the Host header allows an attacker to read responses from any host, potentially leading to the exposure of sensitive information.

Recommendation

It is recommended to upgrade to version 6.4.6 or later to mitigate this vulnerability and to implement Host header validation in applications.

Original NVD description (English source)

Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response. This vulnerability is fixed in 6.4.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS