Description

Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements. This vulnerability is fixed in 6.4.6.

Severity (CVSS)

Base score4.2
SeverityMedium
VersionCVSS 3.1
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Provided byCNA

Weaknesses

  • CWE-79 — CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

VendorProductVersions
withastroastro< 6.4.6

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 23 Jun 2026 10:05 UTC.