5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-56140

GHSA ID

GHSA-c4pw-33h3-35xw

EPSS Score

0.09074%

CWE

CWE-352

Published

12/18/2024

Updated

12/18/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-56140

CVE-2024-56140:
Atro CSRF Middleware Bypass (security.checkOrigin)

Summary

A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.

Details

When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)

For example, with the following Astro configuration:

// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@astrojs/node';

export default defineConfig({
	output: 'server',
	security: { checkOrigin: true },
	adapter: node({ mode: 'standalone' }),
});

A request like the following would be blocked if made from a different origin:

// fetch API or <form action="https://test.example.com/" method="POST">
fetch('https://test.example.com/', {
	method: 'POST',
	credentials: 'include',
	body: 'a=b',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
});
// => Cross-site POST form submissions are forbidden

However, a vulnerability exists that can bypass this security.

Pattern 1: Requests with a semicolon after the `Content-Type`

A semicolon-delimited parameter is allowed after the type in Content-Type.

Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.

fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: 'test',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded; abc' },
});
// => Server-side functions are executed (Response Code 200).

Pattern 2: Request without `Content-Type` header

The Content-Type header is not required for a request. The following examples are sent without a Content-Type header, resulting in CSRF.

// Pattern 2.1 Request without body
fetch('http://test.example.com', { method: 'POST', credentials: 'include' });

// Pattern 2.2 Blob object without type
fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: new Blob(['a=b'], {}),
});

Impact

Bypass CSRF protection implemented with CSRF middleware.

[!Note] Even with credentials: 'include', browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-56140

GHSA ID

GHSA-c4pw-33h3-35xw

EPSS Score

0.09074%

CWE

CWE-352

Published

12/18/2024

Updated

12/18/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
astro	npm	< 4.16.17	4.16.17

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the middleware's Content-Type handling in createOriginCheckMiddleware. The original code used FORM_CONTENT_TYPES.includes(contentType.toLowerCase()) which required exact MIME type matches, failing to account for: 1) parameters in Content-Type headers (application/x-www-form-urlencoded; abc), and 2) requests without Content-Type headers. The patched commit introduced hasFormLikeHeader with .includes() checks and separate handling for missing headers, confirming these were the vulnerable code paths. The file path and function name are explicitly referenced in both the vulnerability details and commit diff.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * *u* in *stro’s *SR*-prot**tion mi**l*w*r* *llows r*qu*sts to *yp*ss *SR* ****ks. ### **t*ils W**n t** `s**urity.****kOri*in` *on*i*ur*tion option is s*t to `tru*`, *stro mi**l*w*r* will p*r*orm * *SR* ****k. (Sour** *o**: *ttps://*it

Reasoning

T** vuln*r**ility st*ms *rom t** mi**l*w*r*'s *ont*nt-Typ* **n*lin* in *r**t*Ori*in****kMi**l*w*r*. T** ori*in*l *o** us** *ORM_*ONT*NT_TYP*S.in*lu**s(*ont*ntTyp*.toLow*r**s*()) w*i** r*quir** *x**t MIM* typ* m*t***s, **ilin* to ***ount *or: *) p*r*m

5.9

Basic Information

Concerned about an active attack path?

CVE-2024-56140: Atro CSRF Middleware Bypass (security.checkOrigin)

Summary

Details

Pattern 1: Requests with a semicolon after the Content-Type

Pattern 2: Request without Content-Type header

Impact

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-56140:
Atro CSRF Middleware Bypass (security.checkOrigin)

Pattern 1: Requests with a semicolon after the `Content-Type`

Pattern 2: Request without `Content-Type` header

Vulnerability Intelligence
Miggo AI