CVE-2024-29896 HIGH

CVE-2024-29896: Astro-Shield's Content-Security-Policy header generation in middleware could be compromised by malicious injections

Vendor Kindspells
Product astro-shield
Weakness CWE-74
Published March 28, 2024
Last update August 2, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Astro-Shield is a library to compute the subresource integrity hashes for your JS scripts and CSS stylesheets. When automated CSP headers generation for SSR content is enabled and the web application serves content that can be partially controlled by external users, then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts. The fix is available in version 1.3.0.

Key dates

02Disclosure timeline

March 28, 2024 CVE published
August 2, 2024 Record updated