Astro Vercel Integration Exposes Critical Path Traversal Vulnerability (CVE-2026-33768)

A critical security flaw in the `@astrojs/vercel` integration allows unauthenticated attackers to manipulate server-side request paths, potentially leading to unauthorized access or data exposure. The vulnerability, tracked as CVE-2026-33768, stems from the serverless entrypoint's handling of the `x-astro-path` header and `x_astro_path` query parameter. These inputs are used to rewrite internal request paths without any form of authentication or validation, creating a direct vector for path traversal attacks.

The issue was identified in the dependency management system, prompting an automated security update from version 9.0.4 to the patched version 10.0.0. The vulnerability advisory (GHSA-mr6q-rp88-fx84) confirms the risk is present in the core integration code that facilitates Astro framework deployments on Vercel's serverless platform. This is not a theoretical threat; it is a live, exploitable weakness in a widely used deployment toolchain for modern web applications.

Any project using the affected `@astrojs/vercel` adapter is immediately at risk until the dependency is updated. The flaw represents a significant supply chain security failure, as it resides in a foundational integration relied upon by developers for production deployments. The silent, automated nature of the fix via a dependency bot underscores how critical vulnerabilities can be introduced and remediated within the software development lifecycle, often without direct developer awareness until an advisory is published.