CVE-2026-30117 Overview
CVE-2026-30117 is an arbitrary file upload vulnerability in scalar/astro v0.1.13. The flaw resides in the scalar_url query parameter of the Scalar Proxy endpoint. Attackers can upload a crafted SVG file to execute arbitrary code on the target system. The vulnerability requires no authentication and is exploitable over the network.
The issue is tracked under CWE-94: Improper Control of Generation of Code. Successful exploitation grants attackers the ability to run arbitrary code in the context of the application, leading to full compromise of confidentiality, integrity, and availability.
Critical Impact
Unauthenticated remote attackers can achieve arbitrary code execution by submitting a crafted SVG file through the Scalar Proxy endpoint.
Affected Products
- scalar/astro version 0.1.13
- Scalar Proxy endpoint exposing the scalar_url query parameter
- Applications embedding the affected Scalar Astro integration
Discovery Timeline
- 2026-05-19 - CVE-2026-30117 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-30117
Vulnerability Analysis
The scalar/astro package provides an API reference renderer for the Astro framework. It exposes a Scalar Proxy endpoint that accepts a scalar_url query parameter, which is intended to fetch and relay remote resources for the API documentation viewer.
In version 0.1.13, the proxy endpoint accepts attacker-supplied URLs without sufficient validation of the returned content type or file contents. An attacker can direct the proxy to fetch a crafted SVG file. The SVG payload contains embedded JavaScript that executes in the application context, enabling arbitrary code execution.
The vulnerability maps to CWE-94: Improper Control of Generation of Code. Because the endpoint accepts requests from unauthenticated network clients, exploitation requires no privileges or user interaction.
Root Cause
The root cause is missing validation on the scalar_url parameter and on the data returned by the proxy. The endpoint trusts the supplied URL and forwards content without sanitizing scriptable formats such as SVG. SVG files can carry inline <script> tags that execute when the document is rendered in a browser context.
Attack Vector
An attacker hosts a malicious SVG file on a server they control. The attacker then sends a request to the vulnerable Scalar Proxy endpoint with the scalar_url parameter pointing to that SVG. When the proxy relays the file and a victim browser renders it, the embedded JavaScript executes. Public proof-of-concept material is available at the GitHub PoC Repository.
No verified exploitation code is reproduced here. Refer to the linked PoC repository for the technical artifacts used to demonstrate the issue.
Detection Methods for CVE-2026-30117
Indicators of Compromise
- Inbound HTTP requests to the Scalar Proxy endpoint containing a scalar_url parameter pointing to external or attacker-controlled hosts.
- Proxy responses delivering image/svg+xml content that contains <script> tags or javascript: URIs.
- Outbound connections initiated by the application server to untrusted domains as a result of proxy requests.
- Unexpected child processes spawned by the Node.js process hosting the scalar/astro application.
Detection Strategies
- Inspect application access logs for scalar_url values referencing arbitrary external URLs or .svg resources.
- Apply web application firewall rules that block SVG content traversing the proxy endpoint or that strip script-bearing SVG payloads.
- Correlate proxy fetch events with subsequent process execution, file writes, or outbound network activity on the host.
Monitoring Recommendations
- Forward web server, reverse proxy, and application logs to a centralized analytics platform for retention and search.
- Alert on anomalous request patterns to /scalar or proxy routes, especially requests with externally hosted SVG targets.
- Monitor runtime behavior of the application process for unexpected code execution following proxy requests.
How to Mitigate CVE-2026-30117
Immediate Actions Required
- Upgrade scalar/astro beyond version 0.1.13 once a patched release is available from the maintainers.
- Restrict or disable the Scalar Proxy endpoint in production environments where it is not strictly required.
- Enforce an allowlist of trusted upstream hosts that the scalar_url parameter may reference.
- Reject proxy responses with Content-Type: image/svg+xml or sanitize SVG content before serving it to clients.
Patch Information
At the time of NVD publication, no vendor advisory or fixed version is referenced. Monitor the scalar/astro project repository and the GitHub PoC Repository for patch availability and additional technical details.
Workarounds
- Place the application behind a web application firewall that filters requests containing scalar_url parameters with external destinations.
- Configure a strict Content Security Policy that blocks inline script execution in served documents.
- Validate and rewrite proxy response Content-Type headers to a non-executable type when SVG content is detected.
# Example WAF rule concept to block external scalar_url values
# Deny requests where scalar_url references hosts outside the allowlist
location /scalar-proxy {
if ($arg_scalar_url !~* "^https?://(docs\.example\.com|api\.example\.com)/") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
