logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-50249 @sentry/astro

Package

Manager: npm
Name: @sentry/astro
Vulnerable Version: >=7.78.0 <7.87.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00171 pctl0.38798

Details

Sentry's Astro SDK vulnerable to ReDoS ### Impact A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). Applications that are using Sentry's Astro SDK are affected if: 1. They're using Sentry instrumentation: - they have [manually registered](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#manually-add-server-instrumentation) Sentry Middleware (affected versions 7.78.0-7.86.0); - or [configured](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#configure-server-instrumentation) Astro in SSR (server) or hybrid mode, use Astro 3.5.0 and newer and didn’t [disable the automatic server instrumentation](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation) (affected versions 7.82.0-7.86.0). 2. They have configured routes with at least two path params (e.g. `/foo/[p1]/bar/[p2]`). ### Patches The problem has been patched in [@sentry/astro@7.87.0](https://www.npmjs.com/package/@sentry/astro/v/7.87.0). The corresponding PR: https://github.com/getsentry/sentry-javascript/pull/9815 ### Workarounds We strongly recommend upgrading to the latest SDK version. However, if it's not possible, the steps to mitigate the vulnerability without upgrade are: * [disable auto instrumentation](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation) if you're using Astro 3.5.0 or newer * and remove the manually added Sentry middleware (if it was [added](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#manually-add-server-instrumentation) before). After these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can. ### References * [Sentry docs: Manual Setup for Astro](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/) * [Release notes: sentry-javascript 7.87.0](https://github.com/getsentry/sentry-javascript/releases/tag/7.87.0) * [npm: @sentry/astro@7.87.0](https://www.npmjs.com/package/@sentry/astro/v/7.87.0)

Metadata

Created: 2023-12-18T20:00:55Z
Modified: 2023-12-28T22:03:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-x3v3-8xg8-8v72/GHSA-x3v3-8xg8-8v72.json
CWE IDs: ["CWE-1333", "CWE-400"]
Alternative ID: GHSA-x3v3-8xg8-8v72
Finding: F211
Auto approve: 1