CVE-2026-45028: CWE-323: Reusing a Nonce, Key Pair in Encryption in withastro astro
Astro versions prior to 6. 1. 10 use AES-GCM encryption for server island props and slots but do not bind ciphertext to its intended component or parameter type. This allows an attacker to replay encrypted props as slots or vice versa, potentially causing cross-site scripting (XSS) if the application uses server islands with overlapping key names and attacker-controlled prop values. The vulnerability is fixed in version 6. 1. 10. The CVSS 4. 0 score is 2. 9, indicating low severity.
AI Analysis
Technical Summary
The vulnerability in Astro (CVE-2026-45028) arises from reuse of a nonce and key pair in AES-GCM encryption protecting server island props and slots parameters. Because the ciphertext is not bound to the specific component or parameter type, an attacker can replay encrypted data from one component's props to another component's slots. Since slots contain raw unescaped HTML and props may contain user-controlled values, this can lead to XSS in applications that use server islands with overlapping key names for props and slots. Exploitation requires a dynamically rendered page and attacker control over the overlapping prop value. The issue is resolved in Astro version 6.1.10.
Potential Impact
An attacker with control over certain prop values in a vulnerable Astro application can cause cross-site scripting (XSS) by replaying encrypted props as slots, which contain raw HTML. This could lead to client-side code execution in affected applications. The CVSS 4.0 score of 2.9 reflects low severity, indicating limited impact and exploitation complexity.
Mitigation Recommendations
Upgrade Astro to version 6.1.10 or later, where this vulnerability is fixed. No other mitigation is specified or required.
CVE-2026-45028: CWE-323: Reusing a Nonce, Key Pair in Encryption in withastro astro
Description
Astro versions prior to 6. 1. 10 use AES-GCM encryption for server island props and slots but do not bind ciphertext to its intended component or parameter type. This allows an attacker to replay encrypted props as slots or vice versa, potentially causing cross-site scripting (XSS) if the application uses server islands with overlapping key names and attacker-controlled prop values. The vulnerability is fixed in version 6. 1. 10. The CVSS 4. 0 score is 2. 9, indicating low severity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Astro (CVE-2026-45028) arises from reuse of a nonce and key pair in AES-GCM encryption protecting server island props and slots parameters. Because the ciphertext is not bound to the specific component or parameter type, an attacker can replay encrypted data from one component's props to another component's slots. Since slots contain raw unescaped HTML and props may contain user-controlled values, this can lead to XSS in applications that use server islands with overlapping key names for props and slots. Exploitation requires a dynamically rendered page and attacker control over the overlapping prop value. The issue is resolved in Astro version 6.1.10.
Potential Impact
An attacker with control over certain prop values in a vulnerable Astro application can cause cross-site scripting (XSS) by replaying encrypted props as slots, which contain raw HTML. This could lead to client-side code execution in affected applications. The CVSS 4.0 score of 2.9 reflects low severity, indicating limited impact and exploitation complexity.
Mitigation Recommendations
Upgrade Astro to version 6.1.10 or later, where this vulnerability is fixed. No other mitigation is specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T16:58:28.897Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04a50ccbff5d8610e804bb
Added to database: 5/13/2026, 4:21:32 PM
Last enriched: 5/13/2026, 4:36:38 PM
Last updated: 5/13/2026, 5:23:51 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.