Astro Reflected Cross-Site Scripting Vulnerability in Development Server Error Pages

A reflected cross-site scripting vulnerability has been identified in the Astro web framework, specifically in versions 5.2.0 prior to 5.15.6. The issue arises in the development server's error pages when the 'trailingSlash' configuration option is utilized. This vulnerability allows an attacker to inject arbitrary JavaScript that executes in the context of the victim's browser. Although it only impacts the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected JavaScript is executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, configure the Astro development server with the 'trailingSlash' option set to 'always' or 'never'. Then, visit a URL that has a mismatched trailing slash. The server will respond with a 404 error page that includes a link to the correct URL, but this link will contain the injected JavaScript payload. Clicking on the link will execute the JavaScript in the browser.

Remediation

Users can update to Astro version 5.15.6 or later, where this vulnerability has been fixed.