Detections
Analytics

SCA: security update for @astrojs/node (GHSA-qq67-mvv5-fw3g)

medium Tenable Cloud Security Plugin ID 437938

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a
 prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:`
 header is changed to an attacker's server, it will be fetched on `/500.html` and they can redirect this to
 any internal URL to read the response body through the first request. An attacker who can access the
 application without `Host:` header validation (eg. through finding the origin IP behind a proxy, or just
 by default) can fetch their own server to redirect to any internal IP. With this they can fetch cloud
 metadata IPs and interact with services in the internal network or localhost. For this to be vulnerable, a
 common feature needs to be used, with direct access to the server (no proxies). Version 9.5.4 fixes the
 issue. (CVE-2026-25545)

Solution

Update the @astrojs/node library and its related packages to version 9.5.4 or later.

See Also

https://github.com/advisories/GHSA-qq67-mvv5-fw3g

Plugin Details

Severity: Medium

ID: 437938

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 2/24/2026

Updated: 6/1/2026

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-25545

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 4.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/23/2026

Vulnerability Publication Date: 2/23/2026

Reference Information

CVE: CVE-2026-25545

cwe: CWE-918