-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability stems from how external resources were handled in SSR content processing. The function updateDynamicPageSriHashes() in src/core.mjs previously: 1. Automatically fetched and generated SRI hashes for ANY external resource URL found in content 2. Lacked validation against an allow-list for cross-origin resources 3. Directly modified CSP headers based on these uncontrolled hashes. The commit diff shows critical changes where external resource processing was modified to require explicit allow-listing, and removed automatic fetching of arbitrary URLs. This function was the primary entry point for processing user-influenced content into security headers, making it the core vulnerable component.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @kindspells/astro-shield | npm | = 1.2.0 | 1.3.0 |
Ongoing coverage of React2Shell