CVE-2024-29896

HIGH

astro-shield 1.2.0-1.2.9 - Cross-Site Scripting via CSP Header Generation

Title source: llm

Description

Astro-Shield is a library to compute the subresource integrity hashes for your JS scripts and CSS stylesheets. When automated CSP headers generation for SSR content is enabled and the web application serves content that can be partially controlled by external users, then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts. The fix is available in version 1.3.0.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/KindSpells/astro-shield/security/advisories/GHSA-w387-5qqw-7g8m

Patch x_refsource_misc

https://github.com/KindSpells/astro-shield/commit/41b84576d37fa486a57005ea297658d0bc38566d

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0059

EPSS Percentile 43.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-74

Status published

Products (2)

kindspells/astro-shield 1.2.0

kindspells/astro-shield 1.2.0 - 1.3.0npm

Published Mar 28, 2024

Tracked Since Feb 18, 2026