Chisnet

**Name of the Vulnerable Software and Affected Versions** Astro versions prior to 5.14.2 **Description** Astro, a web framework, does not validate the `X-Forwarded-Host` header when using `Astro.url`, leading to potential manipulation of output values. A malicious request with a differing `Host` and `X-Forwarded-Host` header can cause Astro to return the malicious value from the `X-Forwarded-Host` header. This can affect usages of `Astro.url` in code, such as canonical links or form URLs, potentially redirecting users to malicious sites or compromising login credentials. The impact is amplified when a caching proxy is used, as the malicious value can be cached and served to subsequent users. The issue affects those using Astro in on-demand/dynamic rendering mode behind a caching proxy. The vulnerable component is the handling of the `X-Forwarded-Host` header and its reflection in `Astro.url`. **Recommendations** Update Astro to version 5.14.2 or later.