Astro AES-GCM Encryption Vulnerability in Server Islands Components Allowing Cross-Component Replay

In Astro versions prior to 6.1.10, a vulnerability exists in the AES-GCM encryption used to secure server island props and slots parameters. The encryption did not bind the ciphertext to its intended component or parameter type, allowing an attacker to replay one component's encrypted props value as another component's slots value, or vice versa. This could lead to cross-site scripting (XSS) vulnerabilities, as slots can contain raw unescaped HTML while props may include user-controlled values. The issue arises when two different server island components share the same key name for a prop and a slot, and an attacker can manipulate the overlapping prop value, particularly on dynamically rendered pages.

Impact

Exploitation could result in XSS vulnerabilities, allowing for the injection of malicious scripts that could be executed in the context of the user.

Reproduction

To reproduce this vulnerability, create an Astro application using a version prior to 6.1.10. Implement server islands components that share the same key name for a prop and a slot. Ensure that one of the props contains a value controlled by the user. When the page is rendered, the overlapping prop value can be replayed as a slot value, leading to XSS.

Remediation

Update Astro to version 6.1.10 or later, where this vulnerability has been patched by binding encrypted parameters to their respective components and purposes using authenticated additional data (AAD) in the AES-GCM encryption.