CVE-2026-54298 Overview
CVE-2026-54298 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Astro web framework affecting versions prior to 6.4.6. The flaw resides in the spreadAttributes function within Astro's server-side rendering pipeline. The function iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When developers use the spread syntax {...props} on an HTML element and object keys originate from untrusted sources, attackers can inject arbitrary HTML attributes or break out of the attribute context to inject new elements. The issue is resolved in Astro 6.4.6.
Critical Impact
Attackers can inject arbitrary HTML attributes, including event handlers such as onmousemove and onclick, leading to script execution in the victim's browser when applications spread untrusted object keys into HTML elements.
Affected Products
- Astro framework versions prior to 6.4.6
- Node.js server-side rendered Astro applications
- Astro applications consuming untrusted data from APIs, CMS platforms, or URL parameters
Discovery Timeline
- 2026-06-22 - CVE-2026-54298 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-54298
Vulnerability Analysis
The vulnerability is a stored or reflected XSS condition caused by missing output encoding on HTML attribute names. Astro's templating engine treats attribute keys as trusted strings during server-side rendering. When a component uses {...props} to forward attributes onto a native HTML element, every key in the supplied object is rendered verbatim into the response markup.
This design assumption breaks when attribute keys are sourced from external input. An attacker who controls a property name in a JSON payload, CMS field, or query parameter can introduce attributes that the browser interprets as event handlers. The injected handlers execute in the origin of the vulnerable application, exposing user sessions and authenticated context.
Root Cause
The spreadAttributes function iterates over object keys and forwards each key to addAttribute without applying HTML entity encoding or character allowlisting. The addAttribute helper concatenates the raw key into the serialized output. Because attribute names are not validated against the HTML attribute name grammar, characters such as =, ", >, and whitespace pass through unfiltered. This permits both attribute injection and full attribute-context breakout.
Attack Vector
Exploitation requires the application to spread an attacker-controlled object onto a rendered element. A typical attack flow involves an attacker submitting a payload to an API or CMS that the Astro application later renders. The attacker supplies a property whose name contains malicious markup, for example a key such as onmousemove=alert(1) x. When Astro renders the component, the resulting HTML contains a working event handler. User interaction is required to trigger most event-handler payloads, consistent with the network attack vector and user interaction requirement documented for this CVE. See the GitHub Security Advisory GHSA-jrpj-wcv7-9fh9 for the maintainers' technical description.
Detection Methods for CVE-2026-54298
Indicators of Compromise
- Unexpected inline event handler attributes (onmousemove, onclick, onerror, onload) appearing in server-rendered Astro responses.
- HTTP response bodies containing attribute names with embedded quotes, equals signs, or angle brackets.
- Anomalous outbound requests from end-user browsers to attacker-controlled domains shortly after rendering content sourced from a CMS or API.
Detection Strategies
- Audit Astro components for use of the spread syntax {...props} on native HTML elements where props originates from external data sources.
- Apply static analysis to flag any propagation of API, CMS, or URL parameter data into spreadAttributes call sites.
- Inspect server-rendered HTML in integration tests for attribute names that deviate from the expected schema.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to capture inline script and event-handler violations indicative of XSS execution.
- Log and review CMS or API submissions containing property names with non-alphanumeric characters.
- Monitor web application firewall (WAF) telemetry for payloads attempting to inject HTML attribute syntax into JSON object keys.
How to Mitigate CVE-2026-54298
Immediate Actions Required
- Upgrade Astro to version 6.4.6 or later across all production and staging environments.
- Identify every component that uses {...props} on HTML elements and confirm the source of each spread object.
- Implement an allowlist of permitted attribute names when spreading objects whose contents are influenced by external data.
- Deploy a strict Content Security Policy that disallows inline event handlers to reduce exploit impact.
Patch Information
The vulnerability is fixed in Astro 6.4.6. Upgrade by updating the astro dependency in package.json and reinstalling. Refer to the GitHub Security Advisory GHSA-jrpj-wcv7-9fh9 for upstream remediation details.
Workarounds
- Replace {...props} spreads with explicit attribute assignments that bind only known-safe keys.
- Sanitize object keys before rendering by filtering against a strict regular expression such as /^[a-zA-Z-]+$/.
- Strip or reject any incoming JSON payloads whose property names contain characters outside the expected attribute grammar.
# Upgrade Astro to the patched release
npm install astro@6.4.6
# Verify installed version
npm ls astro
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

