Astro On-Demand Rendering Insecure Header Handling Vulnerability Allowing Route Bypass, SSRF, and Cache Poisoning

A vulnerability exists in Astro versions 2.16.0 prior to 5.15.5 that use on-demand rendering. The issue arises from the insecure handling of request headers 'x-forwarded-proto' and 'x-forwarded-port', which are used to construct URLs without proper sanitization. This vulnerability can bypass middleware protections on routes, cause denial-of-service through cache poisoning if a CDN is present, allow server-side request forgery (SSRF) via 'x-forwarded-proto', create URL pollution that could lead to cross-site scripting (XSS) if a CDN is involved, and bypass web application firewalls (WAFs).

Impact

Exploitation of this vulnerability can lead to unauthorized access to protected routes, manipulation of server-side requests, cache poisoning that disrupts application availability, and potential cross-site scripting attacks through injected URLs.

Reproduction

To reproduce this vulnerability, send a request to a non-static page with the 'x-forwarded-proto' header set to a malicious URL, such as 'https://www.malicious-url.com/?tank='. This will inject the URL into the request processing, bypassing middleware protections and potentially leading to SSRF or cache poisoning. Additionally, 'x-forwarded-port' can be used to manipulate port-based routing or create similar injection effects.

Remediation

Users can update to Astro version 5.15.6 or later, where this vulnerability has been patched. The update includes improved validation and sanitization of 'X-Forwarded' headers to prevent exploitation.