Search criteria
42 vulnerabilities found for astro by astro
CVE-2025-66202 (GCVE-0-2025-66202)
Vulnerability from nvd – Published: 2025-12-08 23:41 – Updated: 2025-12-09 16:04
VLAI?
Title
Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765
Summary
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.
Severity ?
6.5 (Medium)
CWE
- CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T14:18:21.955591Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T16:04:07.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-647",
"description": "CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T23:41:21.976Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c"
},
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
},
{
"name": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce"
}
],
"source": {
"advisory": "GHSA-whqg-ppgf-wp8c",
"discovery": "UNKNOWN"
},
"title": "Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66202",
"datePublished": "2025-12-08T23:41:21.976Z",
"dateReserved": "2025-11-24T23:01:29.677Z",
"dateUpdated": "2025-12-09T16:04:07.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64765 (GCVE-0-2025-64765)
Vulnerability from nvd – Published: 2025-11-19 16:41 – Updated: 2025-11-20 15:50
VLAI?
Title
Astro middleware authentication checks based on url.pathname can be bypassed via url encoded values
Summary
Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T15:50:37.171718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T15:50:41.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application\u2019s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:41:19.022Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
},
{
"name": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce"
}
],
"source": {
"advisory": "GHSA-ggxq-hp9w-j794",
"discovery": "UNKNOWN"
},
"title": "Astro middleware authentication checks based on url.pathname can be bypassed via url encoded values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64765",
"datePublished": "2025-11-19T16:41:19.022Z",
"dateReserved": "2025-11-10T22:29:34.877Z",
"dateUpdated": "2025-11-20T15:50:41.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64764 (GCVE-0-2025-64764)
Vulnerability from nvd – Published: 2025-11-19 16:41 – Updated: 2025-11-19 21:07
VLAI?
Title
Astro is vulnerable to Reflected XSS via the server islands feature
Summary
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.
Severity ?
7.1 (High)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64764",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T21:06:04.095169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T21:07:23.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:41:03.767Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723"
},
{
"name": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91"
}
],
"source": {
"advisory": "GHSA-wrwg-2hg8-v723",
"discovery": "UNKNOWN"
},
"title": "Astro is vulnerable to Reflected XSS via the server islands feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64764",
"datePublished": "2025-11-19T16:41:03.767Z",
"dateReserved": "2025-11-10T22:29:34.877Z",
"dateUpdated": "2025-11-19T21:07:23.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65019 (GCVE-0-2025-65019)
Vulnerability from nvd – Published: 2025-11-19 16:40 – Updated: 2025-11-19 21:05
VLAI?
Title
Astro Cloudflare adapter has a Stored Cross Site Scripting vulnerability in /_image endpoint
Summary
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65019",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T21:05:09.306723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T21:05:19.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.15.9, when using Astro\u0027s Cloudflare adapter (@astrojs/cloudflare) with output: \u0027server\u0027, the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:40:47.826Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q"
},
{
"name": "https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533"
}
],
"source": {
"advisory": "GHSA-fvmw-cj7j-j39q",
"discovery": "UNKNOWN"
},
"title": "Astro Cloudflare adapter has a Stored Cross Site Scripting vulnerability in /_image endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65019",
"datePublished": "2025-11-19T16:40:47.826Z",
"dateReserved": "2025-11-13T15:36:51.680Z",
"dateUpdated": "2025-11-19T21:05:19.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64757 (GCVE-0-2025-64757)
Vulnerability from nvd – Published: 2025-11-19 16:40 – Updated: 2025-11-19 21:04
VLAI?
Title
Astro Development Server is Vulnerable to Arbitrary Local File Read
Summary
Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64757",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T21:04:14.914682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T21:04:23.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework\u0027s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:40:36.031Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g"
},
{
"name": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7"
}
],
"source": {
"advisory": "GHSA-x3h8-62x9-952g",
"discovery": "UNKNOWN"
},
"title": "Astro Development Server is Vulnerable to Arbitrary Local File Read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64757",
"datePublished": "2025-11-19T16:40:36.031Z",
"dateReserved": "2025-11-10T22:29:34.875Z",
"dateUpdated": "2025-11-19T21:04:23.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64745 (GCVE-0-2025-64745)
Vulnerability from nvd – Published: 2025-11-13 20:26 – Updated: 2025-11-13 21:20
VLAI?
Title
Astro development server error page vulnerable to reflected Cross-site Scripting
Summary
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T21:19:45.808705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:20:30.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.15.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro\u0027s development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim\u0027s browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T20:26:13.261Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7"
},
{
"name": "https://github.com/withastro/astro/pull/12994",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/pull/12994"
},
{
"name": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91"
},
{
"name": "https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149"
}
],
"source": {
"advisory": "GHSA-w2vj-39qv-7vh7",
"discovery": "UNKNOWN"
},
"title": "Astro development server error page vulnerable to reflected Cross-site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64745",
"datePublished": "2025-11-13T20:26:13.261Z",
"dateReserved": "2025-11-10T22:29:34.871Z",
"dateUpdated": "2025-11-13T21:20:30.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64525 (GCVE-0-2025-64525)
Vulnerability from nvd – Published: 2025-11-13 15:58 – Updated: 2025-11-13 16:15
VLAI?
Title
Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass
Summary
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
Severity ?
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64525",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T16:15:07.067807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T16:15:18.417Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.16.0, \u003c 5.15.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T15:58:16.797Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767"
},
{
"name": "https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4"
},
{
"name": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121"
},
{
"name": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97"
}
],
"source": {
"advisory": "GHSA-hr2q-hp5q-x767",
"discovery": "UNKNOWN"
},
"title": "Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64525",
"datePublished": "2025-11-13T15:58:16.797Z",
"dateReserved": "2025-11-05T21:15:39.401Z",
"dateUpdated": "2025-11-13T16:15:18.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59837 (GCVE-0-2025-59837)
Vulnerability from nvd – Published: 2025-10-28 19:54 – Updated: 2025-10-29 17:42
VLAI?
Title
astro allows bypass of image proxy domain validation leading to SSRF and potential XSS
Summary
Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10.
Severity ?
7.2 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T17:42:34.216831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T17:42:43.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.13.4, \u003c 5.13.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T19:54:28.683Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2"
},
{
"name": "https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4"
},
{
"name": "https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252"
}
],
"source": {
"advisory": "GHSA-qcpr-679q-rhm2",
"discovery": "UNKNOWN"
},
"title": "astro allows bypass of image proxy domain validation leading to SSRF and potential XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59837",
"datePublished": "2025-10-28T19:54:28.683Z",
"dateReserved": "2025-09-22T14:34:03.471Z",
"dateUpdated": "2025-10-29T17:42:43.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61925 (GCVE-0-2025-61925)
Vulnerability from nvd – Published: 2025-10-10 19:34 – Updated: 2025-10-10 20:01
VLAI?
Title
Astro's `X-Forwarded-Host` is reflected with no validation
Summary
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61925",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T20:00:44.551372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:01:06.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T19:34:05.142Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88"
},
{
"name": "https://github.com/Chisnet/minimal_dynamic_astro_server",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Chisnet/minimal_dynamic_astro_server"
}
],
"source": {
"advisory": "GHSA-5ff5-9fcw-vg88",
"discovery": "UNKNOWN"
},
"title": "Astro\u0027s `X-Forwarded-Host` is reflected with no validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61925",
"datePublished": "2025-10-10T19:34:05.142Z",
"dateReserved": "2025-10-03T22:21:59.616Z",
"dateUpdated": "2025-10-10T20:01:06.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55303 (GCVE-0-2025-55303)
Vulnerability from nvd – Published: 2025-08-19 18:08 – Updated: 2025-08-19 20:50
VLAI?
Title
Unauthorized third-party images in Astro’s _image endpoint
Summary
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55303",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-19T20:49:42.803973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T20:50:34.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-alpha.0, \u003c 5.13.2"
},
{
"status": "affected",
"version": "\u003c 4.16.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T18:08:00.244Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749"
},
{
"name": "https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820"
}
],
"source": {
"advisory": "GHSA-xf8x-j4p2-f749",
"discovery": "UNKNOWN"
},
"title": "Unauthorized third-party images in Astro\u2019s _image endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55303",
"datePublished": "2025-08-19T18:08:00.244Z",
"dateReserved": "2025-08-12T16:15:30.238Z",
"dateUpdated": "2025-08-19T20:50:34.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-66202
Vulnerability from fkie_nvd - Published: 2025-12-09 00:15 - Updated: 2025-12-10 23:46
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1015DFA8-9106-453C-9144-11E63ADA3B67",
"versionEndExcluding": "5.15.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8."
}
],
"id": "CVE-2025-66202",
"lastModified": "2025-12-10T23:46:47.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-12-09T00:15:48.977",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce"
},
{
"source": "security-advisories@github.com",
"tags": [
"Not Applicable"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-647"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-65019
Vulnerability from fkie_nvd - Published: 2025-11-19 17:15 - Updated: 2025-11-25 15:09
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "30331D9E-36BD-4BF6-88C3-A8BE37A3E6C8",
"versionEndExcluding": "5.15.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.15.9, when using Astro\u0027s Cloudflare adapter (@astrojs/cloudflare) with output: \u0027server\u0027, the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9."
}
],
"id": "CVE-2025-65019",
"lastModified": "2025-11-25T15:09:57.477",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-19T17:15:53.063",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64765
Vulnerability from fkie_nvd - Published: 2025-11-19 17:15 - Updated: 2025-11-25 15:11
Severity ?
Summary
Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce | Patch | |
| security-advisories@github.com | https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794 | Exploit, Mitigation, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1015DFA8-9106-453C-9144-11E63ADA3B67",
"versionEndExcluding": "5.15.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application\u2019s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8."
}
],
"id": "CVE-2025-64765",
"lastModified": "2025-11-25T15:11:31.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-19T17:15:52.827",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64757
Vulnerability from fkie_nvd - Published: 2025-11-19 17:15 - Updated: 2025-11-20 17:58
Severity ?
Summary
Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "48394CBD-D26B-4176-875E-32B9467D6157",
"versionEndExcluding": "5.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework\u0027s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3."
}
],
"id": "CVE-2025-64757",
"lastModified": "2025-11-20T17:58:21.573",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-19T17:15:52.460",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64764
Vulnerability from fkie_nvd - Published: 2025-11-19 17:15 - Updated: 2025-11-20 17:54
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1015DFA8-9106-453C-9144-11E63ADA3B67",
"versionEndExcluding": "5.15.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8."
}
],
"id": "CVE-2025-64764",
"lastModified": "2025-11-20T17:54:05.087",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-19T17:15:52.647",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64745
Vulnerability from fkie_nvd - Published: 2025-11-13 21:15 - Updated: 2025-11-25 15:13
Severity ?
2.7 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "2EE0E141-B44E-460F-BB2E-0FBF0D7B6E43",
"versionEndExcluding": "5.15.6",
"versionStartIncluding": "5.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro\u0027s development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim\u0027s browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue."
}
],
"id": "CVE-2025-64745",
"lastModified": "2025-11-25T15:13:14.937",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-13T21:15:54.240",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/pull/12994"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64525
Vulnerability from fkie_nvd - Published: 2025-11-13 16:15 - Updated: 2025-11-25 15:14
Severity ?
Summary
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1C5C6C54-B40E-40C9-B3EF-905E2A559278",
"versionEndExcluding": "5.15.5",
"versionStartIncluding": "2.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch."
}
],
"id": "CVE-2025-64525",
"lastModified": "2025-11-25T15:14:02.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-13T16:15:56.447",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-59837
Vulnerability from fkie_nvd - Published: 2025-10-28 20:15 - Updated: 2025-11-25 15:16
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Summary
Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "9AE8D713-785F-4EAB-B6CB-80F4F6FEBBD8",
"versionEndExcluding": "5.13.10",
"versionStartIncluding": "5.13.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10."
}
],
"id": "CVE-2025-59837",
"lastModified": "2025-11-25T15:16:15.933",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-10-28T20:15:49.170",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-61925
Vulnerability from fkie_nvd - Published: 2025-10-10 20:15 - Updated: 2025-12-04 17:54
Severity ?
Summary
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "FFAAA369-C462-46C6-8029-8ADC566A1869",
"versionEndExcluding": "5.14.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue."
}
],
"id": "CVE-2025-61925",
"lastModified": "2025-12-04T17:54:05.143",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-10T20:15:38.233",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/Chisnet/minimal_dynamic_astro_server"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-470"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-55303
Vulnerability from fkie_nvd - Published: 2025-08-19 19:15 - Updated: 2025-11-25 14:31
Severity ?
Summary
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "37E61F09-80C8-43B3-BADC-7DF0E914FEE9",
"versionEndExcluding": "4.16.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "B3311B0A-5F6A-41C3-A69D-EB58081ED818",
"versionEndExcluding": "5.13.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18."
},
{
"lang": "es",
"value": "Astro es un framework web para sitios web basados en contenido. En versiones de Astro anteriores a la 5.13.2 y la 4.16.18, el endpoint de optimizaci\u00f3n de im\u00e1genes en proyectos implementados con renderizado bajo demanda permite la entrega de im\u00e1genes de dominios de terceros no autorizados. Los sitios web renderizados bajo demanda creados con Astro incluyen un endpoint /_image que devuelve versiones optimizadas de las im\u00e1genes. Un error en las versiones afectadas de Astro permite a un atacante eludir las restricciones de dominio de terceros utilizando una URL relativa al protocolo como fuente de la imagen, por ejemplo, /_image?href=//example.com/image.png. Esta vulnerabilidad se corrigi\u00f3 en las versiones 5.13.2 y 4.16.18."
}
],
"id": "CVE-2025-55303",
"lastModified": "2025-11-25T14:31:24.007",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-19T19:15:36.880",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-115"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2025-66202 (GCVE-0-2025-66202)
Vulnerability from cvelistv5 – Published: 2025-12-08 23:41 – Updated: 2025-12-09 16:04
VLAI?
Title
Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765
Summary
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.
Severity ?
6.5 (Medium)
CWE
- CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T14:18:21.955591Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T16:04:07.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-647",
"description": "CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T23:41:21.976Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c"
},
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
},
{
"name": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce"
}
],
"source": {
"advisory": "GHSA-whqg-ppgf-wp8c",
"discovery": "UNKNOWN"
},
"title": "Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66202",
"datePublished": "2025-12-08T23:41:21.976Z",
"dateReserved": "2025-11-24T23:01:29.677Z",
"dateUpdated": "2025-12-09T16:04:07.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64765 (GCVE-0-2025-64765)
Vulnerability from cvelistv5 – Published: 2025-11-19 16:41 – Updated: 2025-11-20 15:50
VLAI?
Title
Astro middleware authentication checks based on url.pathname can be bypassed via url encoded values
Summary
Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-20T15:50:37.171718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T15:50:41.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application\u2019s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:41:19.022Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
},
{
"name": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce"
}
],
"source": {
"advisory": "GHSA-ggxq-hp9w-j794",
"discovery": "UNKNOWN"
},
"title": "Astro middleware authentication checks based on url.pathname can be bypassed via url encoded values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64765",
"datePublished": "2025-11-19T16:41:19.022Z",
"dateReserved": "2025-11-10T22:29:34.877Z",
"dateUpdated": "2025-11-20T15:50:41.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64764 (GCVE-0-2025-64764)
Vulnerability from cvelistv5 – Published: 2025-11-19 16:41 – Updated: 2025-11-19 21:07
VLAI?
Title
Astro is vulnerable to Reflected XSS via the server islands feature
Summary
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.
Severity ?
7.1 (High)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64764",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T21:06:04.095169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T21:07:23.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:41:03.767Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723"
},
{
"name": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91"
}
],
"source": {
"advisory": "GHSA-wrwg-2hg8-v723",
"discovery": "UNKNOWN"
},
"title": "Astro is vulnerable to Reflected XSS via the server islands feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64764",
"datePublished": "2025-11-19T16:41:03.767Z",
"dateReserved": "2025-11-10T22:29:34.877Z",
"dateUpdated": "2025-11-19T21:07:23.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65019 (GCVE-0-2025-65019)
Vulnerability from cvelistv5 – Published: 2025-11-19 16:40 – Updated: 2025-11-19 21:05
VLAI?
Title
Astro Cloudflare adapter has a Stored Cross Site Scripting vulnerability in /_image endpoint
Summary
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65019",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T21:05:09.306723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T21:05:19.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.15.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.15.9, when using Astro\u0027s Cloudflare adapter (@astrojs/cloudflare) with output: \u0027server\u0027, the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:40:47.826Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q"
},
{
"name": "https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533"
}
],
"source": {
"advisory": "GHSA-fvmw-cj7j-j39q",
"discovery": "UNKNOWN"
},
"title": "Astro Cloudflare adapter has a Stored Cross Site Scripting vulnerability in /_image endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65019",
"datePublished": "2025-11-19T16:40:47.826Z",
"dateReserved": "2025-11-13T15:36:51.680Z",
"dateUpdated": "2025-11-19T21:05:19.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64757 (GCVE-0-2025-64757)
Vulnerability from cvelistv5 – Published: 2025-11-19 16:40 – Updated: 2025-11-19 21:04
VLAI?
Title
Astro Development Server is Vulnerable to Arbitrary Local File Read
Summary
Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64757",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T21:04:14.914682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T21:04:23.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework\u0027s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:40:36.031Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g"
},
{
"name": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7"
}
],
"source": {
"advisory": "GHSA-x3h8-62x9-952g",
"discovery": "UNKNOWN"
},
"title": "Astro Development Server is Vulnerable to Arbitrary Local File Read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64757",
"datePublished": "2025-11-19T16:40:36.031Z",
"dateReserved": "2025-11-10T22:29:34.875Z",
"dateUpdated": "2025-11-19T21:04:23.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64745 (GCVE-0-2025-64745)
Vulnerability from cvelistv5 – Published: 2025-11-13 20:26 – Updated: 2025-11-13 21:20
VLAI?
Title
Astro development server error page vulnerable to reflected Cross-site Scripting
Summary
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T21:19:45.808705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:20:30.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.15.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro\u0027s development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim\u0027s browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T20:26:13.261Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7"
},
{
"name": "https://github.com/withastro/astro/pull/12994",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/pull/12994"
},
{
"name": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91"
},
{
"name": "https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149"
}
],
"source": {
"advisory": "GHSA-w2vj-39qv-7vh7",
"discovery": "UNKNOWN"
},
"title": "Astro development server error page vulnerable to reflected Cross-site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64745",
"datePublished": "2025-11-13T20:26:13.261Z",
"dateReserved": "2025-11-10T22:29:34.871Z",
"dateUpdated": "2025-11-13T21:20:30.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64525 (GCVE-0-2025-64525)
Vulnerability from cvelistv5 – Published: 2025-11-13 15:58 – Updated: 2025-11-13 16:15
VLAI?
Title
Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass
Summary
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
Severity ?
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64525",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T16:15:07.067807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T16:15:18.417Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.16.0, \u003c 5.15.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T15:58:16.797Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767"
},
{
"name": "https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4"
},
{
"name": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121"
},
{
"name": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97"
}
],
"source": {
"advisory": "GHSA-hr2q-hp5q-x767",
"discovery": "UNKNOWN"
},
"title": "Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64525",
"datePublished": "2025-11-13T15:58:16.797Z",
"dateReserved": "2025-11-05T21:15:39.401Z",
"dateUpdated": "2025-11-13T16:15:18.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59837 (GCVE-0-2025-59837)
Vulnerability from cvelistv5 – Published: 2025-10-28 19:54 – Updated: 2025-10-29 17:42
VLAI?
Title
astro allows bypass of image proxy domain validation leading to SSRF and potential XSS
Summary
Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10.
Severity ?
7.2 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T17:42:34.216831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T17:42:43.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.13.4, \u003c 5.13.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T19:54:28.683Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2"
},
{
"name": "https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4"
},
{
"name": "https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252"
}
],
"source": {
"advisory": "GHSA-qcpr-679q-rhm2",
"discovery": "UNKNOWN"
},
"title": "astro allows bypass of image proxy domain validation leading to SSRF and potential XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59837",
"datePublished": "2025-10-28T19:54:28.683Z",
"dateReserved": "2025-09-22T14:34:03.471Z",
"dateUpdated": "2025-10-29T17:42:43.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61925 (GCVE-0-2025-61925)
Vulnerability from cvelistv5 – Published: 2025-10-10 19:34 – Updated: 2025-10-10 20:01
VLAI?
Title
Astro's `X-Forwarded-Host` is reflected with no validation
Summary
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61925",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T20:00:44.551372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:01:06.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003c 5.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T19:34:05.142Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88"
},
{
"name": "https://github.com/Chisnet/minimal_dynamic_astro_server",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Chisnet/minimal_dynamic_astro_server"
}
],
"source": {
"advisory": "GHSA-5ff5-9fcw-vg88",
"discovery": "UNKNOWN"
},
"title": "Astro\u0027s `X-Forwarded-Host` is reflected with no validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61925",
"datePublished": "2025-10-10T19:34:05.142Z",
"dateReserved": "2025-10-03T22:21:59.616Z",
"dateUpdated": "2025-10-10T20:01:06.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55303 (GCVE-0-2025-55303)
Vulnerability from cvelistv5 – Published: 2025-08-19 18:08 – Updated: 2025-08-19 20:50
VLAI?
Title
Unauthorized third-party images in Astro’s _image endpoint
Summary
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55303",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-19T20:49:42.803973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T20:50:34.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-alpha.0, \u003c 5.13.2"
},
{
"status": "affected",
"version": "\u003c 4.16.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T18:08:00.244Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749"
},
{
"name": "https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820"
}
],
"source": {
"advisory": "GHSA-xf8x-j4p2-f749",
"discovery": "UNKNOWN"
},
"title": "Unauthorized third-party images in Astro\u2019s _image endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55303",
"datePublished": "2025-08-19T18:08:00.244Z",
"dateReserved": "2025-08-12T16:15:30.238Z",
"dateUpdated": "2025-08-19T20:50:34.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}