Astro SSR: Host header injection in prerendered error page fetch

Astro SSR apps with prerendered error pages fetch those pages over HTTP at runtime using a URL derived from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response.

SSR deployments that have a prerendered 404 or 500 page and use createRequestFromNodeRequest from astro/app/node with app.render() without overriding prerenderedErrorPageFetch. Not affected: @astrojs/node >= 9.5.4, @astrojs/cloudflare, and the dev server.

Update to the latest version of your adapter (e.g., @astrojs/node >= 9.5.4) or override prerenderedErrorPageFetch to validate the host against allowedDomains.