{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:9654f2a1-f404-5e28-902c-33bc4443196c", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/astro@1.9.2", "type": "library", "name": "astro", "version": "1.9.2", "purl": "pkg:npm/astro@1.9.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:4f259bfa-8b65-5e60-a401-132cf66a88b5", "id": "CVE-2024-23331", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-23331 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:ccd90b37-a83e-5f43-9789-3e691b6e955e", "id": "CVE-2024-31207", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-31207 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:39e408a9-cc8b-5c7c-adf3-9bbaa9bdc17a", "id": "CVE-2024-45811", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-45811 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:e5fbcaff-da85-5a25-a296-e58851f17701", "id": "CVE-2025-24010", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-24010 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:a1361707-3f8e-5ec2-805d-00f62184ec87", "id": "CVE-2025-30208", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-30208 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:e9e55dd4-aca6-5a34-aaeb-97046f846e47", "id": "CVE-2025-31125", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-31125 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:c587841a-660f-5f11-b7bf-42b25dbde01c", "id": "CVE-2025-31486", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-31486 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:4537c899-36f4-5459-88ff-d5850fa4e72f", "id": "CVE-2025-32395", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-32395 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:7929d941-f169-5bfa-a379-ef69cfb91a1b", "id": "CVE-2025-46565", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-46565 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:c8bd838f-3353-51bb-b32e-48c562f79b0e", "id": "CVE-2025-58751", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-58751 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:f7f19431-94b1-5393-8212-9551cbb9a82b", "id": "CVE-2025-58752", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-58752 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:1f4d54aa-8357-5624-824d-f71731611ee5", "id": "CVE-2025-62522", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-62522 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:e5e075ea-4404-5529-8a71-c450887211b0", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:cd421d5d-017c-5855-8300-3fdab125c0b2", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:37867bbe-c9cb-597d-8b21-4a498076cf57", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:46fed5ac-4862-5f6b-b320-ccd4d0a484e4", "id": "CVE-2026-45028", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45028 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:a2c04b4c-0090-52c0-a0d6-9877362fe478", "id": "CVE-2026-50146", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50146 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:bd7932c1-7e8d-5e9b-9e96-ab2d6fd9b83f", "id": "CVE-2026-53571", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-53571 does not affect version 1.9.2 of astro. not_affected \u2014 Astro's codebase does not contain the vulnerable file access control logic described in CVE-2026-53571. The vulnerability exists in Vite's dev server file-serving middleware, which is a declared dependency (package.json shows 'vite': '~3.2.5'). Astro delegates all request handling directly to Vite without implementing its own file access control or path normalization logic. The vulnerable code ..." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:7f7e24e4-e4d9-5ee0-881d-9ac245bffdf6", "id": "CVE-2026-54298", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54298 affects version 1.9.2 of astro." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] }, { "bom-ref": "urn:uuid:c46d1e78-4677-5dfb-8ce3-551c03edc76c", "id": "CVE-2026-54299", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54299 does not affect version 1.9.2 of astro. not_affected \u2014 Astro version 1.9.2 is not affected by CVE-2026-54299. The vulnerability requires the prerendered error page HTTP fetching feature, which was introduced in Astro 5.12.9+. Version 1.9.2 renders all error pages in-process using the component system, not via HTTP fetch, eliminating the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/astro@1.9.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/astro@1.9.2" } ] }