CVE-2026-25545

Name of the Vulnerable Software and Affected Versions Astro versions prior to 9.5.4

Description Astro, a web framework, is affected by a Server-Side Request Forgery (SSRF) issue in versions prior to 9.5.4. Server-Side Rendered pages returning an error with a prerendered custom error page (such as 404.astro or 500.astro) are susceptible. If the Host: header is manipulated to point to an attacker's server, it can be fetched when requesting a resource like /500.html, allowing redirection to any internal URL and enabling the attacker to read the response body from the initial request. An attacker can access the application without Host: header validation, potentially by discovering the origin IP address behind a proxy, and fetch their own server to redirect to internal IP addresses. This allows access to cloud metadata IPs and interaction with services within the internal network or localhost. The issue requires direct access to the server without any intervening proxies.

Recommendations Update to Astro version 9.5.4 or later.