CVE-2024-56159
CVE-2024-56159 is a medium-severity vulnerability in Astro with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-219.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v4: 7.8
- EPSS exploit prediction: 1% (71st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-3552
- Weakness: CWE-219
- Affected product: Astro
- Published:
- Last modified:
Description
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the `dist/client` (referred to as `config.build.client` in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains `.map` files corresponding to the code that runs on the server. All **server-output** projects on Astro 5 versions **v5.0.3** through **v5.0.7**, that have **sourcemaps enabled**, either directly or through an add-on such as `sentry`, are affected. The fix for **server-output** projects was released in **[email protected]**. Additionally, all **static-output** projects built using Astro 4 versions **4.16.17 or older**, or Astro 5 versions **5.0.8 or older**, that have **sourcemaps enabled** are also affected. The fix for **static-output** projects was released in **[email protected]**, and backported to Astro v4 in **[email protected]**. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for **server-output** projects was released in **[email protected]**, and the fix for **static-output** projects was released in **[email protected]** and backported to Astro v4 in **[email protected]**. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.
Frequently asked questions
- What is CVE-2024-56159?
- Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the `dist/client` (referred to as `config.build.client` in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains `.map` files corresponding to the code that runs on the server. All **server-output** projects on Astro 5 versions **v5.0.3** through **v5.0.7**, that have **sourcemaps enabled**, either directly or through an add-on such as `sentry`, are affected. The fix for **server-output** projects was released in **[email protected]**. Additionally, all **static-output** projects built using Astro 4 versions **4.16.17 or older**, or Astro 5 versions **5.0.8 or older**, that have **sourcemaps enabled** are also affected. The fix for **static-output** projects was released in **[email protected]**, and backported to Astro v4 in **[email protected]**. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for **server-output** projects was released in **[email protected]**, and the fix for **static-output** projects was released in **[email protected]** and backported to Astro v4 in **[email protected]**. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.
- How severe is CVE-2024-56159?
- CVE-2024-56159 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2024-56159 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (71st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-56159?
- CVE-2024-56159 affects Astro. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-56159?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-56159 have an EU (EUVD) identifier?
- Yes. CVE-2024-56159 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-3552.
- When was CVE-2024-56159 published?
- CVE-2024-56159 was published on 2024-12-19 and last updated on 2026-06-17.
References
- https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50
- https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139
- https://github.com/withastro/astro/issues/12703
- https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr
Affected products (1)
- cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*
More vulnerabilities in Astro
- CVE-2026-54299 — High (CVSS 7.5): Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const…
- CVE-2025-59837 — High (CVSS 7.2): Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy…
- CVE-2026-50146 — High (CVSS 7.1): Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content…
- CVE-2025-64764 — High (CVSS 7.1): Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands…
- CVE-2025-66202 — Medium (CVSS 6.5): Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated…
- CVE-2025-64525 — Medium (CVSS 6.5): Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request…
Other CWE-219 vulnerabilities
- CVE-2024-39776 — High (CVSS 7.5): Avtec Outpost stores sensitive information in an insecure location without proper access controls in place.
- CVE-2023-39467 — Medium (CVSS 5.3): Triangle MicroWorks SCADA Data Gateway certificate Information Disclosure Vulnerability. This vulnerability allows…
- CVE-2002-2024 — Medium (CVSS 5.3): Horde IMP 2.2.7 allows remote attackers to obtain the full web root pathname via an HTTP request for (1) poppassd.php3,…