Vulnerable Library - astro-6.3.3.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-6.3.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-53632
Vulnerable Library - vite-7.3.3.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json
Dependency Hierarchy:
- astro-6.3.3.tgz (Root Library)
- ❌ vite-7.3.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
Publish Date: 2026-06-22
URL: CVE-2026-53632
CVSS 3 Score Details (8.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/vitejs/vite.git - v8.0.16,https://github.com/vitejs/vite.git - v6.4.3,https://github.com/vitejs/launch-editor.git - v2.14.1,https://github.com/vitejs/vite.git - v7.3.5
CVE-2026-54299
Vulnerable Library - astro-6.3.3.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-6.3.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json
Dependency Hierarchy:
- ❌ astro-6.3.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response. This vulnerability is fixed in 6.4.6.
Publish Date: 2026-06-22
URL: CVE-2026-54299
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-16
Fix Resolution: https://github.com/withastro/astro.git - astro@6.4.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-53571
Vulnerable Library - vite-7.3.3.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json
Dependency Hierarchy:
- astro-6.3.3.tgz (Root Library)
- ❌ vite-7.3.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.
Publish Date: 2026-06-22
URL: CVE-2026-53571
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/vitejs/vite.git - v8.0.16,https://github.com/vitejs/vite.git - v7.3.5,https://github.com/vitejs/vite.git - v6.4.3
CVE-2026-53550
Vulnerable Library - js-yaml-4.1.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz
Path to dependency file: /tutorials/video-javascript-signaling/project/package.json
Path to vulnerable library: /tutorials/video-javascript-signaling/project/package.json,/sources/video_learning_server-node-deploy/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/package.json,/sources/video-javascript-signaling/package.json,/sources/vonage_video_react_app-local-setup/package.json,/tutorials/video_learning_server-node-deploy/package.json,/tutorials/video-javascript-debugging/project/package.json,/sources/video-javascript-archive_layouts/package.json,/tutorials/vonage_video_react_app-feature-config/package.json,/tutorials/video-javascript-archive_layouts/package.json,/tutorials/video-javascript-archive_layouts/project/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/vonage_video_react_app-local-setup/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/verify-android-silent_auth/package.json,/tutorials/video_learning_server-node-deploy/project/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/advanced-video-core-api-features/package.json,/sources/video-javascript-debugging/package.json,/sources/webxr-javascript-workshop/package.json,/tutorials/video-javascript-multiparty/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/verify-android-silent_auth/package.json,/sources/vonage_video_react_app-feature-config4/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/video-javascript-multiparty_archiving/project/package.json,/toolbar-app/package.json,/tutorials/verify-backend/package.json,/tutorials/advanced-video-core-api-features/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/vonage_video_react_app-feature-config/package.json,/tutorials/video-javascript-signaling/package.json
Dependency Hierarchy:
- astro-6.3.3.tgz (Root Library)
- ❌ js-yaml-4.1.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0.
Publish Date: 2026-06-22
URL: CVE-2026-53550
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/nodeca/js-yaml.git - 4.2.0
CVE-2026-54298
Vulnerable Library - astro-6.3.3.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-6.3.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json
Dependency Hierarchy:
- ❌ astro-6.3.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements. This vulnerability is fixed in 6.4.6.
Publish Date: 2026-06-22
URL: CVE-2026-54298
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jrpj-wcv7-9fh9
Release Date: 2026-06-16
Fix Resolution: https://github.com/withastro/astro.git - 6.4.6
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-6.3.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - vite-7.3.3.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
Publish Date: 2026-06-22
URL: CVE-2026-53632
CVSS 3 Score Details (8.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/vitejs/vite.git - v8.0.16,https://github.com/vitejs/vite.git - v6.4.3,https://github.com/vitejs/launch-editor.git - v2.14.1,https://github.com/vitejs/vite.git - v7.3.5
Vulnerable Library - astro-6.3.3.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-6.3.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response. This vulnerability is fixed in 6.4.6.
Publish Date: 2026-06-22
URL: CVE-2026-54299
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-16
Fix Resolution: https://github.com/withastro/astro.git - astro@6.4.6
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - vite-7.3.3.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-7.3.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.
Publish Date: 2026-06-22
URL: CVE-2026-53571
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/vitejs/vite.git - v8.0.16,https://github.com/vitejs/vite.git - v7.3.5,https://github.com/vitejs/vite.git - v6.4.3
Vulnerable Library - js-yaml-4.1.1.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz
Path to dependency file: /tutorials/video-javascript-signaling/project/package.json
Path to vulnerable library: /tutorials/video-javascript-signaling/project/package.json,/sources/video_learning_server-node-deploy/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/package.json,/sources/video-javascript-signaling/package.json,/sources/vonage_video_react_app-local-setup/package.json,/tutorials/video_learning_server-node-deploy/package.json,/tutorials/video-javascript-debugging/project/package.json,/sources/video-javascript-archive_layouts/package.json,/tutorials/vonage_video_react_app-feature-config/package.json,/tutorials/video-javascript-archive_layouts/package.json,/tutorials/video-javascript-archive_layouts/project/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/vonage_video_react_app-local-setup/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/verify-android-silent_auth/package.json,/tutorials/video_learning_server-node-deploy/project/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/advanced-video-core-api-features/package.json,/sources/video-javascript-debugging/package.json,/sources/webxr-javascript-workshop/package.json,/tutorials/video-javascript-multiparty/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/verify-android-silent_auth/package.json,/sources/vonage_video_react_app-feature-config4/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/video-javascript-multiparty_archiving/project/package.json,/toolbar-app/package.json,/tutorials/verify-backend/package.json,/tutorials/advanced-video-core-api-features/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/vonage_video_react_app-feature-config/package.json,/tutorials/video-javascript-signaling/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service. The issue is in merge handling inside lib/loader.js. This vulnerability is fixed in 4.2.0.
Publish Date: 2026-06-22
URL: CVE-2026-53550
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/nodeca/js-yaml.git - 4.2.0
Vulnerable Library - astro-6.3.3.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-6.3.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements. This vulnerability is fixed in 6.4.6.
Publish Date: 2026-06-22
URL: CVE-2026-54298
CVSS 3 Score Details (4.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jrpj-wcv7-9fh9
Release Date: 2026-06-16
Fix Resolution: https://github.com/withastro/astro.git - 6.4.6
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.