js · astroCritical

Astro XSS via unescaped attribute keys in spreadAttributes

The `spreadAttributes` function in Astro's SSR pipeline fails to escape object keys when interpolating them into HTML attribute names, enabling injection of arb

17 Jun 2026Read 1 minSeverity: act now

What changed

The `spreadAttributes` function in Astro's SSR pipeline fails to escape object keys when interpolating them into HTML attribute names, enabling injection of arbitrary attributes and XSS.

Who it affects

All Astro applications that spread object props from untrusted sources (e.g., API, CMS, URL parameters) onto HTML elements using `{...props}` syntax.

What to do today

Upgrade Astro to a patched version or sanitize object keys before spreading them onto HTML elements.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · astro

Astro XSS via unescaped attribute keys in spreadAttributes

What changed

Who it affects

What to do today

More on astro

Hono: Encoded backslash path traversal on Windows

Hono AWS Lambda@Edge Adapter: Repeated Headers Truncated to Single Value