CVE-2024-29896 – CVE-2024-29896 is an injection vulnerability in... (How to Fix)

Q: What is the severity of CVE-2024-29896?

CVE-2024-29896 has a CVSS score of 7.5 (HIGH). CVE-2024-29896 is an injection vulnerability in Astro-Shield's automated CSP header generation feature. When enabled with user-controllable content, it can allow malicious scripts to bypass Content Security Policy restrictions. This affects web applications using Astro-Shield with SSR content generation and external user input.

📋 TL;DR

CVE-2024-29896 is an injection vulnerability in Astro-Shield's automated CSP header generation feature. When enabled with user-controllable content, it can allow malicious scripts to bypass Content Security Policy restrictions. This affects web applications using Astro-Shield with SSR content generation and external user input.

💻 Affected Systems

Products:

astro-shield

Versions: Versions before 1.3.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when automated CSP headers generation for SSR content is enabled AND the application serves user-controllable content.

📦 What is this software?

Astro Shield by Kindspells

View all CVEs affecting Astro Shield →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can inject and execute arbitrary JavaScript in users' browsers, leading to complete session compromise, credential theft, and client-side attacks.

🟠

Likely Case

Cross-site scripting (XSS) attacks that steal user sessions, redirect to malicious sites, or perform unauthorized actions on behalf of users.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though CSP bypass remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user-controllable content in SSR responses and automated CSP generation enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.0

Vendor Advisory: https://github.com/KindSpells/astro-shield/security/advisories/GHSA-w387-5qqw-7g8m

Restart Required: Yes

Instructions:

1. Update astro-shield dependency to version 1.3.0 or later. 2. Update package.json to specify 'astro-shield': '^1.3.0'. 3. Run npm update or yarn upgrade. 4. Restart the application server.

🔧 Temporary Workarounds

Disable automated CSP generation

all

Disable the automated CSP headers generation feature for SSR content

Modify Astro-Shield configuration to disable automated CSP generation

Implement strict input validation

all

Add server-side validation for all user-controllable content in SSR responses

Implement input sanitization and validation for all user-provided data

🧯 If You Can't Patch

Disable automated CSP header generation feature entirely
Implement strict Content Security Policy headers manually without relying on automated generation

🔍 How to Verify

Check if Vulnerable:

Check if astro-shield version is below 1.3.0 AND automated CSP generation is enabled for SSR content

Check Version:

npm list astro-shield | grep astro-shield

Verify Fix Applied:

Verify astro-shield version is 1.3.0 or higher in package.json and node_modules

📡 Detection & Monitoring

Log Indicators:

Unexpected CSP header changes
Multiple CSP policy violations from same user session

Network Indicators:

Unusual script sources in CSP headers
Multiple 'unsafe-inline' directives in CSP

SIEM Query:

source="web_server" AND (csp_header="unsafe-inline" OR csp_header="unsafe-eval")

📊 Metadata

CVE ID: CVE-2024-29896

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-74

Published: March 28, 2024

Last Updated: September 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29896, you might also want to check these: