CVE-2025-64525

Name of the Vulnerable Software and Affected Versions Astro versions 2.16.0 through 5.15.4

Description Astro, a web framework, contains a flaw in its on-demand rendering feature where the x-forwarded-proto and x-forwarded-port request headers are used without proper sanitization when constructing URLs. This insecure handling can lead to several consequences, including middleware-based protected route bypass (via x-forwarded-proto), denial of service through cache poisoning (if a CDN is present), server-side request forgery (SSRF) (via x-forwarded-proto), URL pollution (potentially leading to Stored Cross-Site Scripting or SXSS if a CDN is present), and web application firewall (WAF) bypass. The issue stems from the use of these headers in the createRequest() function, specifically within the node.ts file, where the header values are directly used to build URLs. By injecting a malicious payload into the x-forwarded-proto header, an attacker can manipulate the entire URL, including the host, port, and path. The x-forwarded-port header can also be exploited, though with more limited impact. A bypass of a previous fix related to the x-forwarded-host header is also possible by sending an empty value for the header.

Recommendations Update to Astro version 5.15.5 or later.