CVE-2026-54298: 
JavaScript 취약성 분석 및 완화

CVE-2026-54298 is a Cross-Site Scripting (XSS) vulnerability in the Astro web framework's server-side rendering pipeline, caused by unescaped attribute names in spread props. The spreadAttributes function passes object keys directly to addAttribute, which interpolates them into HTML output without sanitization, allowing injection of arbitrary HTML attributes or event handlers. It affects all astro npm package versions prior to 6.4.6 (specifically <= 6.4.2 per the vendor advisory). The vulnerability was published on June 12, 2026, and the advisory was added to the GitHub Advisory Database on June 16, 2026. It carries a CVSS v3.1 base score of 4.2 (Medium) (GitHub Advisory, Astro Advisory).

The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-Site Scripting). In packages/astro/src/runtime/server/render/util.ts, the addAttribute function interpolates the attribute key directly into the HTML string as `${key}="${toAttributeString(value, shouldEscape)}"` without any escaping or validation of the key itself. While toAttributeString escapes attribute values, the attribute name (key) is never sanitized. The spreadAttributes function in packages/astro/src/runtime/server/index.ts calls addAttribute for every entry in the spread object via Object.entries(), meaning any untrusted object key (e.g., from an API response, CMS, or URL parameter) can break out of the attribute context and inject event handlers such as onmousemove or onclick. Exploitation requires that a developer uses the {...props} spread syntax on an HTML element where the object keys originate from an untrusted source (GitHub Advisory, Astro Advisory).

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session on any Astro application that spreads untrusted object props onto HTML elements. Concrete consequences include session hijacking via cookie theft, credential theft through injected fake login forms or keyloggers, page defacement, and redirection to attacker-controlled domains. The vulnerability affects SSR deployments (where URL parameters can be the attack vector), static site generation (SSG) builds if build-time data sources such as APIs, CMS, or databases are compromised, and hybrid deployments (GitHub Advisory, Astro Advisory).

1. Identify a target: Find an Astro application (SSR or SSG) that spreads object props from an untrusted source (API, CMS, URL parameters) onto HTML elements using the {...props} syntax.
2. Craft a malicious object key: Construct a JSON object whose key contains a quote character and an event handler payload, e.g., {"x\" onmousemove=\"alert(document.cookie)\" y": ""}. The key breaks out of the HTML attribute context.
3. Deliver the payload (SSR): For SSR deployments, encode the malicious JSON as a URL parameter and send it to the target page, e.g., http://target/?props=%7B%22x%5C%22%20onmousemove%3D%5C%22alert(document.cookie)%5C%22%20y%22%3A%22%22%7D.
4. Deliver the payload (SSG/build-time): For static builds, compromise the upstream data source (API endpoint, CMS entry, or database record) to inject a malicious key that will be embedded at build time.
5. Trigger execution: Lure a victim to the crafted URL or the affected page. When the victim interacts with the injected element (e.g., moves the mouse over it), the event handler executes arbitrary JavaScript in their browser session, enabling cookie theft, credential harvesting, or further attacks (GitHub Advisory, Astro Advisory).

• Network: HTTP requests to Astro SSR pages containing URL-encoded JSON with suspicious keys (e.g., keys containing %22, onmousemove, onclick, onerror, or other event handler strings) in query parameters.
• Logs: Web server or application logs showing requests with query parameters containing encoded quote characters (%22, \") adjacent to JavaScript event handler names within JSON-structured values.
• File System (SSG): Unexpected HTML attribute names containing event handlers (e.g., onmousemove, onclick, onerror) in statically generated HTML output files, particularly in elements that use spread props.
• Browser/Client-Side: Unexpected JavaScript execution (e.g., alert(), cookie access, or outbound requests to unknown domains) triggered by mouse or keyboard interaction on affected pages.

Upgrade the astro npm package to version 6.4.6 or later, which patches the vulnerability by sanitizing attribute name keys before interpolation into HTML output. No configuration-based workaround is available; the fix must be applied at the code level. As an interim measure, developers should audit all uses of the {...props} spread syntax on HTML elements and ensure that object keys are sourced exclusively from trusted, controlled data — never directly from user input, URL parameters, or unvalidated external APIs or CMS systems (GitHub Advisory, Astro Advisory).

The advisory was published by Astro maintainer matthewp on June 12, 2026, and credited reporter Texuguinho1234 for discovery. No significant broader media coverage, researcher commentary, or notable social media discussion has been identified beyond the official GitHub Security Advisory (Astro Advisory).