CVE-2025-64745

Name of the Vulnerable Software and Affected Versions Astro versions 5.2.0 through 5.15.6

Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro’s development server error pages when the trailingSlash configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim’s browser context by crafting a malicious URL. This vulnerability only affects the development server and not production builds, potentially compromising developer environments through social engineering or malicious links. The issue stems from the interpolation of the corrected variable, derived from the user-controlled pathname parameter, into the HTML without proper escaping. The pathname parameter is escaped elsewhere in the code, but the corrected variable is not. Attackers can exploit this by crafting URLs with JavaScript payloads that execute when the vulnerable 404 page is rendered. The vulnerability was introduced in commit 536175528 as part of a feature to redirect trailing slashes on on-demand rendered pages. The API endpoint involved is the development server's error page generation. The vulnerable parameter is pathname.

Recommendations Update to Astro version 5.15.6 or later.