Описание
Content-Security-Policy header generation in middleware could be compromised by malicious injections
Impact
When the following conditions are met:
- Automated CSP headers generation for SSR content is enabled
- The web application serves content that can be partially controlled by external users
Then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts.
Patches
Available in version 1.3.0 .
Workarounds
- Do not enable CSP headers generation.
- Use it only for dynamically generated content that cannot be controlled by external users in any way.
References
Are there any links users can visit to find out more?
Ссылки
- https://github.com/KindSpells/astro-shield/security/advisories/GHSA-w387-5qqw-7g8m
- https://nvd.nist.gov/vuln/detail/CVE-2024-29896
- https://github.com/KindSpells/astro-shield/commit/41b84576d37fa486a57005ea297658d0bc38566d
- https://github.com/KindSpells/astro-shield/commit/ad3abf5577bae9be420b7ddf376337a5b8817869
- https://github.com/KindSpells/astro-shield/compare/1.2.0...1.3.0
Пакеты
@kindspells/astro-shield
= 1.2.0
1.3.0
Связанные уязвимости
Astro-Shield is a library to compute the subresource integrity hashes for your JS scripts and CSS stylesheets. When automated CSP headers generation for SSR content is enabled and the web application serves content that can be partially controlled by external users, then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts. The fix is available in version 1.3.0.