Impact
A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).
Applications that are using Sentry's Astro SDK are affected if:
- They're using Sentry instrumentation:
- They have configured routes with at least two path params (e.g.
/foo/[p1]/bar/[p2]).
Patches
The problem has been patched in @sentry/astro@7.87.0.
The corresponding PR: #9815
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, the steps to mitigate the vulnerability without upgrade are:
After these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can.
References
Impact
A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).
Applications that are using Sentry's Astro SDK are affected if:
/foo/[p1]/bar/[p2]).Patches
The problem has been patched in @sentry/astro@7.87.0.
The corresponding PR: #9815
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, the steps to mitigate the vulnerability without upgrade are:
After these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can.
References