CVE-2024-56159
📋 TL;DR
A vulnerability in Astro web framework's build process exposes server source code via publicly accessible sourcemap files. Unauthenticated attackers can read server-side code, potentially revealing implementation details that could lead to further exploitation. This affects Astro 4 and 5 projects with sourcemaps enabled, either directly or through integrations like Sentry.
💻 Affected Systems
- Astro
📦 What is this software?
Astro by Astro
Astro by Astro
⚠️ Risk & Real-World Impact
Worst Case
Attackers discover additional vulnerabilities in exposed source code (like unsafe regex patterns or logic flaws) leading to server compromise, data exposure, or denial of service.
Likely Case
Source code disclosure revealing business logic, API endpoints, and potential security weaknesses that could be exploited in subsequent attacks.
If Mitigated
Limited to source code exposure without immediate data loss or system compromise, though intellectual property and implementation details are revealed.
🎯 Exploit Status
Simple HTTP GET requests to predictable URLs can retrieve sourcemap files. Public demonstration available in GitHub issue #12703.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Astro 5.0.8 for server-output projects; Astro 5.0.9 and Astro 4.16.18 for static-output projects
Vendor Advisory: https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr
Restart Required: Yes
Instructions:
1. Update Astro package: `npm update astro` or `yarn upgrade astro`. 2. Verify version: `npm list astro` or `yarn list astro`. 3. Rebuild and redeploy project. 4. Restart server if applicable.
🔧 Temporary Workarounds
Disable sourcemaps
allTemporarily disable sourcemap generation in build configuration
In astro.config.mjs: export default { build: { sourcemap: false } }
Block access to .map files
allConfigure web server to deny access to .map files
For nginx: location ~*\.map$ { deny all; }
For Apache: <Files "*.map"> Require all denied </Files>
🧯 If You Can't Patch
- Disable sourcemaps in build configuration immediately
- Implement web server rules to block HTTP access to .map files
🔍 How to Verify
Check if Vulnerable:
Check if .map files are accessible at URLs like /pages/index.astro.mjs.map or in dist/client directory. Verify Astro version and sourcemap configuration.Check Version:
npm list astro | grep astro or yarn list astro | grep astroVerify Fix Applied:
After update, confirm .map files are no longer publicly accessible. Test with HTTP requests to previously vulnerable URLs.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to .map file requests
- Unusual GET requests to /pages/*.mjs.map patterns
Network Indicators:
- External requests to .map file extensions
- Traffic to predictable sourcemap URLs
SIEM Query:
http.url: "*.map" AND http.status_code: 200🔗 References
- https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50
- https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139
- https://github.com/withastro/astro/issues/12703
- https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr
- https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr
