7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-30250

GHSA ID

GHSA-c4gr-q97g-ppwc

EPSS Score

0.25811%

CWE

CWE-345

Published

4/1/2024

Updated

9/12/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-30250

CVE-2024-30250: In Astro-Shield, setting a correct `integrity` attribute to injected code allows to bypass the allow-lists

Impact

Versions from 1.2.0 to 1.3.1 of Astro-Shield allow to bypass the allow-lists for cross-origin resources by introducing valid integrity attributes to the injected code. This implies that the injected SRI hash would be added to the generated CSP header, which would lead the browser to believe that the injected resource is legit.

To exploit this vulnerability, the attacker needs to first inject code into the rendered pages by exploiting other not-related potential vulnerabilities.

Patches

Version 1.3.2 provides a patch.

Workarounds

To not use the middleware functionality of Astro-Shield.
To use the middleware functionality of Astro-Shield ONLY for content that cannot be controlled in any way by external users.

References

Are there any links users can visit to find out more?

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-30250

GHSA ID

GHSA-c4gr-q97g-ppwc

EPSS Score

0.25811%

CWE

CWE-345

Published

4/1/2024

Updated

9/12/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@kindspells/astro-shield	npm	>= 1.2.0, < 1.3.2	1.3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from improper validation of SRI hashes for injected resources. The updateDynamicPageSriHashes function is directly responsible for processing dynamic content and adding hashes to the CSP header. Pre-patch, it allowed non-allow-listed resources with valid integrity attributes to be included in the CSP, bypassing allow-lists. The scanAllowLists function's lack of optional chaining (patched to use ?? []) suggests it might fail to process allow-lists correctly, but this is a secondary factor. The primary vulnerability lies in the dynamic processing logic trusting unvalidated integrity hashes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t V*rsions *rom *.*.* to *.*.* o* *stro-S*i*l* *llow to *yp*ss t** *llow-lists *or *ross-ori*in r*sour**s *y intro*u*in* v*li* `int**rity` *ttri*ut*s to t** inj**t** *o**. T*is impli*s t**t t** inj**t** SRI **s* woul* ** ***** to t** **n*r*

Reasoning

T** vuln*r**ility *ris*s *rom improp*r v*li**tion o* SRI **s**s *or inj**t** r*sour**s. T** `up**t**yn*mi*P***Sri**s**s` *un*tion is *ir**tly r*sponsi*l* *or pro**ssin* *yn*mi* *ont*nt *n* ***in* **s**s to t** *SP *****r. Pr*-p*t**, it *llow** non-*l

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-30250: In Astro-Shield, setting a correct `integrity` attribute to injected code allows to bypass the allow-lists

Impact

Patches

Workarounds

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI