CVE-2026-54298: Astro: XSS via Unescaped Attribute Names in Spread Props

June 16, 2026

The spreadAttributes function in Astro’s server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements.

References

github.com/advisories/GHSA-jrpj-wcv7-9fh9
github.com/withastro/astro/security/advisories/GHSA-jrpj-wcv7-9fh9
nvd.nist.gov/vuln/detail/CVE-2026-54298

Code Behaviors & Features

Detect and mitigate CVE-2026-54298 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →