Hi there @matthewp! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Hi,
Based on the repository advisory (GHSA-qq67-mvv5-fw3g) this vulnerability was present in version 9.5.3 and fixed in version 9.5.4. Could you share where you’re seeing that it was fixed in 9.5.3, or provide any supporting details such as a fix commit?

Hi,

based on the repository advisory (GHSA-qq67-mvv5-fw3g) this vulnerability was present in version 9.5.3 and fixed in version 9.5.4.

Yes, this is why I have created this PR to change the mentioned advisory :)

Could you share where you’re seeing that it was fixed in 9.5.3, or provide any supporting details such as a fix commit?

I made this assumption based on this commit: withastro/astro@c13b536, as mentioned in the updated advisory. This commit adds the Host header validation, which shuold fix the described vuln. This commit was already present in version 9.5.3

I have tried the POC from the advisory and can confirm that:

1. With Astro < 5.17.3 and adapter < 9.5.2, the PoC works
2. With Astro < 5.17.3 and adapter >= 9.5.3, the PoC no longer works; the app works as expected
3. With Astro >= 5.17.3 and adapter < 9.5.2, the app crashes
4. With Astro >= 5.17.3 and adapter >= 9.5.3, the PoC no longer works; the app works as expected

So, the mitigation is achieved with 9.5.3 already, and as such that version should be marked as earliest fix

Thank you for the additional information! I see where the confusion lies, I will look further into this and get back to you soon!