cvelistv5 - cve-2025-54793

CVE-2025-54793 (GCVE-0-2025-54793)

Vulnerability from cvelistv5 – Published: 2025-08-08 00:02 – Updated: 2025-08-08 16:55

Summary

Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`.

Severity ?

5.5 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/withastro/astro/security/advis…	x_refsource_CONFIRM
	https://github.com/withastro/astro/commit/0567fb7…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	withastro	astro	Affected: >= 5.2.0, < 5.12.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54793",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-08T16:55:19.482266Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-08T16:55:38.979Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "astro",
          "vendor": "withastro",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.2.0, \u003c 5.12.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-08T00:02:38.299Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw"
        },
        {
          "name": "https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f"
        }
      ],
      "source": {
        "advisory": "GHSA-cq8c-xv66-36gw",
        "discovery": "UNKNOWN"
      },
      "title": "Astro: Duplicate trailing slash feature can lead to Open Redirects"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54793",
    "datePublished": "2025-08-08T00:02:38.299Z",
    "dateReserved": "2025-07-29T16:50:28.394Z",
    "dateUpdated": "2025-08-08T16:55:38.979Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54793\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-08T01:15:24.950\",\"lastModified\":\"2025-11-25T15:14:31.713\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`.\"},{\"lang\":\"es\",\"value\":\"Astro es un framework web para sitios web basados en contenido. En las versiones 5.2.0 a 5.12.7, existe una vulnerabilidad de redirecci\u00f3n abierta en la l\u00f3gica de redirecci\u00f3n de barras diagonales finales al gestionar rutas con barras diagonales dobles. Esto permite a un atacante redirigir a los usuarios a dominios externos arbitrarios mediante la manipulaci\u00f3n de URL como https://mydomain.com//malicious-site.com/. Esto aumenta el riesgo de phishing y otros ataques de ingenier\u00eda social. Afecta a sitios que utilizan renderizado bajo demanda (SSR) con los adaptadores Node o Cloudflare. No afecta a sitios est\u00e1ticos ni a sitios implementados en Netlify o Vercel. Este problema se solucion\u00f3 en la versi\u00f3n 5.12.8. Para solucionar este problema a nivel de red, bloquee las respuestas de redirecci\u00f3n salientes con un valor de encabezado de ubicaci\u00f3n que comience por `//`.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"5.2.0\",\"versionEndExcluding\":\"5.12.7\",\"matchCriteriaId\":\"9D7791B2-1975-4AE6-AFFC-E1074A2CEF28\"}]}]}],\"references\":[{\"url\":\"https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54793\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-08T16:55:19.482266Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-08T16:55:32.544Z\"}}], \"cna\": {\"title\": \"Astro: Duplicate trailing slash feature can lead to Open Redirects\", \"source\": {\"advisory\": \"GHSA-cq8c-xv66-36gw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"withastro\", \"product\": \"astro\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.2.0, \u003c 5.12.8\"}]}], \"references\": [{\"url\": \"https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw\", \"name\": \"https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f\", \"name\": \"https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-08T00:02:38.299Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54793\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-08T16:55:38.979Z\", \"dateReserved\": \"2025-07-29T16:50:28.394Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-08T00:02:38.299Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-54793

Vulnerability from fkie_nvd - Published: 2025-08-08 01:15 - Updated: 2025-11-25 15:14

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f	Patch
	security-advisories@github.com	https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw	Third Party Advisory

Impacted products

	Vendor	Product	Version
	astro	astro	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "9D7791B2-1975-4AE6-AFFC-E1074A2CEF28",
              "versionEndExcluding": "5.12.7",
              "versionStartIncluding": "5.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`."
    },
    {
      "lang": "es",
      "value": "Astro es un framework web para sitios web basados en contenido. En las versiones 5.2.0 a 5.12.7, existe una vulnerabilidad de redirecci\u00f3n abierta en la l\u00f3gica de redirecci\u00f3n de barras diagonales finales al gestionar rutas con barras diagonales dobles. Esto permite a un atacante redirigir a los usuarios a dominios externos arbitrarios mediante la manipulaci\u00f3n de URL como https://mydomain.com//malicious-site.com/. Esto aumenta el riesgo de phishing y otros ataques de ingenier\u00eda social. Afecta a sitios que utilizan renderizado bajo demanda (SSR) con los adaptadores Node o Cloudflare. No afecta a sitios est\u00e1ticos ni a sitios implementados en Netlify o Vercel. Este problema se solucion\u00f3 en la versi\u00f3n 5.12.8. Para solucionar este problema a nivel de red, bloquee las respuestas de redirecci\u00f3n salientes con un valor de encabezado de ubicaci\u00f3n que comience por `//`."
    }
  ],
  "id": "CVE-2025-54793",
  "lastModified": "2025-11-25T15:14:31.713",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-08T01:15:24.950",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-CQ8C-XV66-36GW

Vulnerability from github – Published: 2025-08-07 16:41 – Updated: 2025-11-27 08:06

Summary

Astros's duplicate trailing slash feature leads to an open redirection security issue

Details

Summary

There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks.

This affects Astro >=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.

Background

Astro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the trailingSlash configuration option. It follows the following rules:

If trailingSlash is set to "never", https://example.com/page/ will redirect to https://example.com/page
If trailingSlash is set to "always", https://example.com/page will redirect to https://example.com/page/

It also collapses multiple trailing slashes, according to the following rules:

If trailingSlash is set to "always" or "ignore" (the default), https://example.com/page// will redirect to https://example.com/page/
If trailingSlash is set to "never", https://example.com/page// will redirect to https://example.com/page

It does this by returning a 301 redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from https://example.com/page to https://example.com/page/, it sending a 301 response with the header Location: /page/. The browser resolves this URL relative to the original page URL and redirects to https://example.com/page/

Details

The vulnerability occurs if the target path starts with //. A request for https://example.com//page will send the header Location: //page/. The browser interprets this as a protocol-relative URL, so instead of redirecting to https://example.com//page/, it will attempt to redirect to https://page/. This is unlikely to resolve, but by crafting a URL in the form https://example.com//target.domain/subpath, it will send the header Location: //target.domain/subpath/, which the browser translates as a redirect to https://target.domain/subpath/. The subpath part is required because otherwise Astro will interpret /target.domain as a file download, which skips trailing slash handling.

This leads to an Open Redirect vulnerability.

The URL needed to trigger the vulnerability varies according to the trailingSlash setting.

If trailingSlash is set to "never", a URL in the form https://example.com//target.domain/subpath/
If trailingSlash is set to "always", a URL in the form https://example.com//target.domain/subpath
For any config value, a URL in the form https://example.com//target.domain/subpath//

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Mitigation

Usrs can test if your site is affected by visiting https://yoursite.com//docs.astro.build/en//. If a user is redirected to the Astro docs then their site is affected and must be updated.

Upgrade to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a Location header value that starts with //.

Severity ?

5.5 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "astro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "5.12.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-07T16:41:55Z",
    "nvd_published_at": "2025-08-08T01:15:24Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThere is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as `https://mydomain.com//malicious-site.com/`. This increases the risk of phishing and other social engineering attacks.\n\nThis affects Astro \u003e=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.\n\n## Background\n\nAstro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the [`trailingSlash`](https://docs.astro.build/en/reference/configuration-reference/#trailingslash) configuration option. It follows the following rules:\n\n- If `trailingSlash` is set to `\"never\"`, `https://example.com/page/` will redirect to `https://example.com/page` \n- If `trailingSlash` is set to `\"always\"`, `https://example.com/page` will redirect to `https://example.com/page/`\n\nIt also collapses multiple trailing slashes, according to the following rules:\n\n- If `trailingSlash` is set to `\"always\"` or `\"ignore\"` (the default), `https://example.com/page//` will redirect to `https://example.com/page/`\n- If `trailingSlash` is set to `\"never\"`, `https://example.com/page//` will redirect to `https://example.com/page` \n\nIt does this by returning a `301` redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from `https://example.com/page` to `https://example.com/page/`, it sending a 301 response with the header `Location: /page/`. The browser resolves this URL relative to the original page URL and redirects to `https://example.com/page/`\n\n## Details\n\nThe vulnerability occurs if the target path starts with `//`. A request for `https://example.com//page` will send the header `Location: //page/`. The browser interprets this as a [protocol-relative URL](https://en.wikipedia.org/wiki/URL#Protocol-relative_URLs), so instead of redirecting to `https://example.com//page/`, it will attempt to redirect to `https://page/`. This is unlikely to resolve, but by crafting a URL in the form `https://example.com//target.domain/subpath`, it will send the header `Location: //target.domain/subpath/`, which the browser translates as a redirect to `https://target.domain/subpath/`. The subpath part is required because otherwise Astro will interpret `/target.domain` as a file download, which skips trailing slash handling.\n\nThis leads to an [Open Redirect](https://cwe.mitre.org/data/definitions/601.html) vulnerability.\n\nThe URL needed to trigger the vulnerability varies according to the `trailingSlash` setting.\n\n- If `trailingSlash` is set to `\"never\"`, a URL in the form `https://example.com//target.domain/subpath/`\n- If `trailingSlash` is set to `\"always\"`, a URL in the form `https://example.com//target.domain/subpath`\n- For any config value, a URL in the form `https://example.com//target.domain/subpath//`\n\n## Impact\n\nThis is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.\n\nNo authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.\n\n## Mitigation\n\nUsrs can test if your site is affected by visiting `https://yoursite.com//docs.astro.build/en//`. If a user is redirected to the Astro docs then their site is affected and must be updated.\n\nUpgrade  to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a `Location` header value that starts with `//`.",
  "id": "GHSA-cq8c-xv66-36gw",
  "modified": "2025-11-27T08:06:51Z",
  "published": "2025-08-07T16:41:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54793"
    },
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/withastro/astro"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Astros\u0027s duplicate trailing slash feature leads to an open redirection security issue"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-54793 (GCVE-0-2025-54793)

FKIE_CVE-2025-54793

GHSA-CQ8C-XV66-36GW

Summary

Background

Details

Impact

Mitigation

Tags

Sightings

Nomenclature