CVE-2025-61925

Name of the Vulnerable Software and Affected Versions Astro versions prior to 5.14.2

Description Astro, a web framework, does not validate the X-Forwarded-Host header when using Astro.url, leading to potential manipulation of output values. A malicious request with a differing Host and X-Forwarded-Host header can cause Astro to return the malicious value from the X-Forwarded-Host header. This can affect usages of Astro.url in code, such as canonical links or form URLs, potentially redirecting users to malicious sites or compromising login credentials. The impact is amplified when a caching proxy is used, as the malicious value can be cached and served to subsequent users. The issue affects those using Astro in on-demand/dynamic rendering mode behind a caching proxy. The vulnerable component is the handling of the X-Forwarded-Host header and its reflection in Astro.url.

Recommendations Update Astro to version 5.14.2 or later.