CVE-2023-50249: 
JavaScript vulnerability analysis and mitigation

A ReDoS (Regular expression Denial of Service) vulnerability was identified in Sentry's Astro SDK versions 7.78.0-7.86.0, tracked as CVE-2023-50249. The vulnerability was discovered and disclosed in December 2023. The affected component is the Sentry JavaScript SDK, specifically the Astro integration package (@sentry/astro) (Vendor Advisory).

The vulnerability occurs during route interpolation when the SDK compiles new RegExp for user-entered URL parameter values when starting a transaction. The issue stems from not properly escaping these parameter values, which could lead to ReDoS attacks when combined with specific regex and parameter combinations. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause excessive computation times on the server, leading to denial of service (DoS). The impact affects applications using Sentry's Astro SDK that have either manually registered Sentry Middleware (versions 7.78.0-7.86.0) or configured Astro in SSR/hybrid mode using Astro 3.5.0 and newer with automatic server instrumentation enabled (versions 7.82.0-7.86.0), specifically when routes with at least two path params are configured (Vendor Advisory).

The vulnerability has been patched in @sentry/astro version 7.87.0. For users unable to upgrade immediately, temporary mitigation steps include disabling auto instrumentation (if using Astro 3.5.0 or newer) and removing manually added Sentry middleware. While these workarounds maintain basic error reporting functionality, they will result in the loss of server-side transactions and distributed traces between client and server (Vendor Advisory).