Astro Web Framework X-Forwarded-Host Header Reflection Vulnerability

A vulnerability exists in the Astro web framework, prior to version 5.14.2, where the framework reflects the value of the X-Forwarded-Host header without validation. This issue can be exploited by sending a request with a malicious X-Forwarded-Host header that does not match the Host header value. Astro will return the malicious X-Forwarded-Host value, which could be used to manipulate the Astro.url property in the application. This vulnerability is particularly concerning when Astro is used in on-demand rendering mode behind a caching proxy, as the malicious value could be cached and served to subsequent users.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of URLs generated by Astro.url, potentially allowing for phishing attacks or the misdirection of login credentials to malicious parties. If the application is behind a caching proxy, such as Cloudflare, the malicious X-Forwarded-Host value could be cached and persisted for other users.

Reproduction

To reproduce this vulnerability, deploy an Astro application prior to version 5.14.2 in on-demand rendering mode behind a caching proxy. Send a request to the application with a malicious X-Forwarded-Host header and a matching Host header. The response will reflect the malicious X-Forwarded-Host value. If the application is cached by the proxy, subsequent users will also receive the malicious value.

Remediation

Users can upgrade to Astro version 5.14.2 or later, where this vulnerability has been fixed.