CVE-2026-54298
Modified Modified - Updated After Analysis

HTML Attribute Injection in Astro Framework

Vulnerability report for CVE-2026-54298, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements. This vulnerability is fixed in 6.4.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
astro astro to 6.4.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Astro versions prior to 6.4.6 involves the spreadAttributes function in the server-side rendering pipeline. This function iterates over object keys from untrusted sources and passes them directly to addAttribute without escaping the attribute names. When a developer uses the spread syntax {...props} on an HTML element, an attacker can inject malicious HTML attributes, including event handlers like onmousemove or onclick, or even break out of the attribute context to inject new elements. This happens because attribute names are not properly escaped, allowing arbitrary JavaScript execution.

Impact Analysis

This vulnerability can lead to Cross-Site Scripting (XSS) attacks, enabling attackers to execute arbitrary JavaScript in the context of the affected website.

  • Session hijacking through cookie theft.
  • Credential theft via fake login forms or keyloggers.
  • Page defacement.
  • Redirection to attacker-controlled domains.
Detection Guidance

Detection of this vulnerability involves identifying if your Astro application uses the spread syntax {...props} on HTML elements where the object keys originate from untrusted sources such as APIs, CMS, or URL parameters.

You can inspect your server-side rendered HTML output for unescaped attribute names that include suspicious event handlers like onmousemove or onclick, or malformed attributes that could indicate injection.

Since this is a server-side rendering issue, network detection might involve monitoring HTTP responses for injected scripts or unusual HTML attributes.

There are no specific commands provided in the resources, but general approaches include:

  • Using grep or similar tools to search your codebase for usage of spread syntax {...props} in Astro components.
  • Manually reviewing or scripting checks on rendered HTML output for unescaped attribute names or suspicious event handlers.
  • Using web vulnerability scanners that detect reflected or stored XSS vulnerabilities in your application.
Mitigation Strategies

The primary mitigation step is to upgrade Astro to version 6.4.6 or later, where this vulnerability is fixed.

Until the upgrade is applied, avoid using the spread syntax {...props} on HTML elements with object keys derived from untrusted sources such as APIs, CMS, or URL parameters.

Validate and sanitize all input data that could be used as attribute keys to prevent injection of malicious HTML attributes.

Review your server-side rendering pipeline to ensure attribute names are properly escaped or validated before being added to HTML output.

Compliance Impact

The vulnerability allows attackers to inject malicious HTML attributes and execute arbitrary JavaScript, which can lead to session hijacking, credential theft, page defacement, and redirection to attacker-controlled domains.

Such impacts can result in unauthorized access to personal data or credentials, potentially violating data protection regulations like GDPR or HIPAA that require safeguarding user data and preventing unauthorized access.

Therefore, if exploited, this vulnerability could compromise compliance with these standards by exposing sensitive user information or enabling attacks that breach confidentiality and integrity requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54298. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart