CVE-2025-54793

Name of the Vulnerable Software and Affected Versions Astro versions 5.2.0 through 5.12.7

Description Astro is susceptible to an Open Redirect vulnerability stemming from improper handling of paths containing double slashes in its trailing slash redirection logic. This allows an attacker to redirect users to arbitrary external domains via crafted URLs, potentially leading to phishing and social engineering attacks. The vulnerability affects sites utilizing on-demand rendering (SSR) with the Node or Cloudflare adapters, but does not impact static sites or those deployed to Netlify or Vercel. The issue arises because the application uses a relative path for the redirect, and when the target path starts with //, the browser interprets it as a protocol-relative URL, resulting in redirection to a malicious domain. The URL needed to trigger the vulnerability varies according to the trailingSlash setting.

Recommendations Astro version 5.12.8 resolves this issue. Upgrade to Astro version 5.12.8. As a temporary workaround, block outgoing redirect responses with a Location header value that starts with // at the network level.