Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14M3YzLTh4ZzgtOHY3Ms4AA34P
Sentry's Astro SDK vulnerable to ReDoS
Impact
A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).
Applications that are using Sentry's Astro SDK are affected if:
- They're using Sentry instrumentation:
- they have manually registered Sentry Middleware (affected versions 7.78.0-7.86.0);
- or configured Astro in SSR (server) or hybrid mode, use Astro 3.5.0 and newer and didn’t disable the automatic server instrumentation (affected versions 7.82.0-7.86.0).
- They have configured routes with at least two path params (e.g.
/foo/[p1]/bar/[p2]).
Patches
The problem has been patched in @sentry/[email protected].
The corresponding PR: https://github.com/getsentry/sentry-javascript/pull/9815
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, the steps to mitigate the vulnerability without upgrade are:
- disable auto instrumentation if you're using Astro 3.5.0 or newer
- and remove the manually added Sentry middleware (if it was added before).
After these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can.
References
- Sentry docs: Manual Setup for Astro
- Release notes: sentry-javascript 7.87.0
- npm: @sentry/[email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14M3YzLTh4ZzgtOHY3Ms4AA34P
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 12 months ago
Updated: 11 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-x3v3-8xg8-8v72, CVE-2023-50249
References:
- https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72
- https://github.com/getsentry/sentry-javascript/pull/9815
- https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb
- https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation
- https://www.npmjs.com/package/@sentry/astro/v/7.87.0
- https://nvd.nist.gov/vuln/detail/CVE-2023-50249
- https://github.com/advisories/GHSA-x3v3-8xg8-8v72
Blast Radius: 0.0
Affected Packages
npm:@sentry/astro
Dependent packages: 2Dependent repositories: 1
Downloads: 37,053 last month
Affected Version Ranges: >= 7.78.0, < 7.87.0
Fixed in: 7.87.0
All affected versions: 7.78.0, 7.79.0, 7.80.0, 7.80.1, 7.81.0, 7.81.1, 7.82.0, 7.83.0, 7.84.0, 7.85.0, 7.86.0
All unaffected versions: 7.74.0, 7.74.1, 7.75.0, 7.75.1, 7.76.0, 7.77.0, 7.87.0, 7.88.0, 7.89.0, 7.90.0, 7.91.0, 7.92.0, 7.93.0, 7.94.1, 7.95.0, 7.97.0, 7.98.0, 7.99.0, 7.100.0, 7.100.1, 7.101.0, 7.101.1, 7.102.0, 7.102.1, 7.103.0, 7.104.0, 7.105.0, 7.106.0, 7.106.1, 7.107.0, 7.108.0, 7.109.0, 7.110.0, 7.110.1, 7.111.0, 7.112.0, 7.112.1, 7.112.2, 7.113.0, 7.114.0, 7.115.0, 7.116.0, 7.117.0, 7.118.0, 7.119.0, 7.119.1, 7.119.2, 7.120.0, 8.0.0, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.4.0, 8.5.0, 8.7.0, 8.8.0, 8.9.1, 8.9.2, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.20.0, 8.21.0, 8.22.0, 8.23.0, 8.24.0, 8.25.0, 8.26.0, 8.27.0, 8.28.0, 8.29.0, 8.30.0, 8.31.0, 8.32.0, 8.33.0, 8.33.1, 8.34.0, 8.35.0, 8.36.0, 8.37.0, 8.37.1, 8.38.0, 8.39.0, 8.40.0, 8.41.0