CVE-2024-56159 Overview
CVE-2024-56159 is a source code disclosure vulnerability in the Astro web framework that allows unauthenticated attackers to read portions of server-side source code through publicly accessible sourcemap files. A flaw in the build process causes server code sourcemap files to be inadvertently deployed to a publicly-accessible folder alongside legitimate client assets such as CSS and font files.
Critical Impact
Unauthenticated remote attackers can access server-side source code by making simple HTTP GET requests to predictably named sourcemap files, potentially revealing application logic, security implementations, and pathways to further exploitation.
Affected Products
- Astro 5 server-output projects versions v5.0.3 through v5.0.7 with sourcemaps enabled
- Astro 4 static-output projects versions 4.16.17 or older with sourcemaps enabled
- Astro 5 static-output projects versions 5.0.8 or older with sourcemaps enabled
Discovery Timeline
- 2024-12-19 - CVE-2024-56159 published to NVD
- 2025-11-25 - Last updated in NVD database
Technical Details for CVE-2024-56159
Vulnerability Analysis
This vulnerability stems from improper handling of sourcemap files during the Astro build process. When sourcemaps are enabled—either directly through configuration or indirectly via integrations like Sentry—the build process incorrectly copies server-side sourcemap files to the dist/client directory, which is publicly accessible to all internet users without authentication.
The exposure is particularly concerning because files corresponding to the file system router (those in src/pages) follow predictable naming conventions. For instance, the sourcemap for src/pages/index.astro is placed at dist/client/pages/index.astro.mjs.map, making it trivial for attackers to enumerate and retrieve server-side code.
While secrets and environment variables are not directly exposed unless hardcoded in the source, the revealed code can enable secondary attacks by exposing application logic, vulnerable regex patterns, authentication mechanisms, and other security-sensitive implementations.
Root Cause
The root cause lies in the static build process within Astro's core build functionality. During the build phase, sourcemap files generated for server-side code are incorrectly included in the client asset deployment directory (config.build.client). This directory is designed to serve public client assets but inadvertently receives server-side .map files when sourcemaps are enabled.
The issue is documented in GitHub Astro Issue #12703, which demonstrates the vulnerability through a reproducible StackBlitz project. The problematic code path can be traced to the static build handling logic in the Astro codebase.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying an Astro-powered website with sourcemaps enabled
- Constructing HTTP GET requests to predictable sourcemap file paths based on the URL structure
- Retrieving server-side source code from the .map files in the dist/client directory
- Analyzing the revealed source code for additional vulnerabilities, business logic flaws, or sensitive information
The vulnerability can be exploited with a simple HTTP request such as:
GET /pages/index.astro.mjs.map HTTP/1.1
Host: vulnerable-astro-site.com
The server responds with the full sourcemap file containing the original server-side source code.
Detection Methods for CVE-2024-56159
Indicators of Compromise
- Unusual HTTP GET requests targeting .map file extensions in production logs
- Access patterns showing sequential enumeration of page paths with .astro.mjs.map suffixes
- External IP addresses making multiple requests to sourcemap file paths
- Web server access logs showing successful (200) responses for .map files
Detection Strategies
- Implement web application firewall (WAF) rules to block requests for .map files from external sources
- Configure log monitoring to alert on any successful responses for sourcemap file requests
- Audit build output directories to verify no .map files exist in publicly accessible paths
- Review CDN or web server configurations to ensure .map files are excluded from public serving
Monitoring Recommendations
- Enable detailed access logging for all static asset requests
- Create alerts for HTTP requests containing .map or sourcemap in the URL path
- Monitor for reconnaissance activity targeting known Astro page structures
- Implement rate limiting on requests to static asset directories to slow enumeration attempts
How to Mitigate CVE-2024-56159
Immediate Actions Required
- Upgrade server-output projects to astro@5.0.8 or later immediately
- Upgrade static-output projects to astro@5.0.9 or later, or astro@4.16.18 for Astro 4 users
- Review and remove any existing .map files from public deployment directories
- Disable sourcemaps in production builds if not strictly required
Patch Information
The Astro team has released patches addressing this vulnerability across multiple version branches:
- Server-output projects: Fixed in astro@5.0.8
- Static-output projects: Fixed in astro@5.0.9 (Astro 5) and backported to astro@4.16.18 (Astro 4)
Users should update their Astro dependency immediately using their package manager. The GitHub Security Advisory GHSA-49w6-73cw-chjr provides complete details on the fix.
Workarounds
- Disable sourcemaps in production by setting build.sourcemap: false in astro.config.mjs
- Configure web server rules to deny access to all .map files in the public directory
- Use post-build scripts to remove .map files from dist/client before deployment
- Implement CDN or reverse proxy rules to block requests matching *.map patterns
# Example nginx configuration to block sourcemap access
location ~* \.map$ {
deny all;
return 404;
}
# Or remove sourcemaps post-build in package.json scripts
# "postbuild": "find dist/client -name '*.map' -delete"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
