CVE-2026-54299
Astro: Host header SSRF in prerendered error page fetch
描述
## Summary Astro SSR apps with prerendered error pages (`/404` or `/500` using `export const prerender = true`) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from `request.url`, which in turn gets its origin from the incoming `Host` header. When the `Host` header is not validated against `allowedDomains`, an attacker can point the fetch at an arbitrary host and read the response. ## Who is affected This affects SSR deployments that: 1. Have a prerendered 404 or 500 page 2. Use `createRequestFromNodeRequest` from `astro/app/node` with `app.render()` **without** overriding `prerenderedErrorPageFetch` — this includes custom servers built on the public API and third-party adapters **Not affected:** - `@astrojs/node` >= 9.5.4 (reads error pages from disk) - `@astrojs/cloudflare` (uses the ASSETS binding) - The dev server (renders error pages in-process) ## How it works `createRequestFromNodeRequest` builds `request.url` from the raw `Host` / `:authority` header. The `allowedDomains` option is accepted but only gates `X-Forwarded-For` — it does not constrain the URL origin. (The public `createRequest` does fall back to `localhost` for unvalidated hosts; this internal builder did not.) When `app.render()` encounters a 404 or 500 with a prerendered error route, `default-handler.ts` constructs the error page URL using the origin from `request.url` and fetches it via `prerenderedErrorPageFetch`, which defaults to global `fetch`. The response body is served to the client. An attacker sends a request with `Host: attacker-host:port`, triggers an error (e.g., requesting a nonexistent path for a 404), and receives the response from the attacker-controlled host reflected back. ## Remediation The error page fetch origin is now validated against `allowedDomains` before use. When the host is validated, the original origin is preserved. Otherwise, it falls back to `localhost`. The fetch is also wrapped in a try/catch so that connection failures degrade gracefully to a plain error response. ## Credit 5ud0 / Tarmo Technologies
如何修補 CVE-2026-54299
要修補 CVE-2026-54299,請將受影響套件升級到下列已修補版本。
- —升級至 6.4.6 或更新版本
CVE-2026-54299 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-54299 既不在 CISA KEV 也沒有最新的 EPSS 分數。