{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T06:03:31.433","vulnerabilities":[{"cve":{"id":"CVE-2024-56140","sourceIdentifier":"security-advisories@github.com","published":"2024-12-18T21:15:08.353","lastModified":"2025-11-25T13:42:59.937","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check. However, a vulnerability exists that can bypass this security. A semicolon-delimited parameter is allowed after the type in `Content-Type`. Web browsers will treat a `Content-Type` such as `application/x-www-form-urlencoded; abc` as a `simple request` and will not perform preflight validation. In this case, CSRF is not blocked as expected. Additionally, the `Content-Type` header is not required for a request. This issue has been addressed in version 4.16.17 and all users are advised to upgrade. There are no known workarounds for this vulnerability."},{"lang":"es","value":"Astro es un framework para sitios web basados en contenido. En las versiones afectadas, un error en el middleware de protección CSRF de Astro permite que las solicitudes eludan las comprobaciones CSRF. Cuando la opción de configuración `security.checkOrigin` se establece en `true`, el middleware Astro realizará una comprobación CSRF. Sin embargo, existe una vulnerabilidad que puede eludir esta seguridad. Se permite un parámetro delimitado por punto y coma después del tipo en `Content-Type`. Los navegadores web tratarán un `Content-Type` como `application/x-www-form-urlencoded; abc` como una `solicitud simple` y no realizarán una validación previa. En este caso, CSRF no se bloquea como se esperaba. Además, el encabezado `Content-Type` no es necesario para una solicitud. Este problema se ha solucionado en la versión 4.16.17 y se recomienda a todos los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":4.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*","versionEndExcluding":"4.16.17","matchCriteriaId":"EC2DFB09-8B1E-4AA4-AADA-D16A2D4423C4"}]}]}],"references":[{"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests","source":"security-advisories@github.com","tags":["Technical Description"]},{"url":"https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}