CVE-2025-61925
published 2025-10-10CVE-2025-61925: Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It…
PriorityP337medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EPSS
0.39%
30.4th percentile
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astro | astro | < 5.14.2 | 5.14.2 |
| astro | astro | >= 0 < 5.14.3 | 5.14.3 |
| astro | astro | >= 2.16.0 < 5.15.5 | 5.15.5 |
| withastro | astro | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
ghsa6.5MEDIUM
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
osv·2025-11-13·CVSS 6.5
CVE-2025-64525 [MEDIUM] Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
## Summary
In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are:
- Middleware-based protected route bypass (only via `x-forwarded-proto`)
- DoS via cache poisoning (if a CDN is present)
- SSRF (only via `x-forwarded-proto`)
- URL pollution (potential SXSS, if a CDN is present)
- WAF bypass
## Details
The `x-forwarded-proto` and `x-forwarded-port` headers are used without sanitization in two parts of the Astro server code. The most important is in t
GHSA
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
ghsa·2025-11-13·CVSS 6.5
CVE-2025-64525 [MEDIUM] CWE-918 Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
## Summary
In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are:
- Middleware-based protected route bypass (only via `x-forwarded-proto`)
- DoS via cache poisoning (if a CDN is present)
- SSRF (only via `x-forwarded-proto`)
- URL pollution (potential SXSS, if a CDN is present)
- WAF bypass
## Details
The `x-forwarded-proto` and `x-forwarded-port` headers are used without sanitization in two parts of the Astro server code. The most important is in t
GHSA
Astro's `X-Forwarded-Host` is reflected without validation
ghsa·2025-10-10
CVE-2025-61925 [MEDIUM] CWE-20 Astro's `X-Forwarded-Host` is reflected without validation
Astro's `X-Forwarded-Host` is reflected without validation
### Summary
When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwarded-Host` header that is reflected when using the recommended `Astro.url` property as there is no validation that the value is safe.
### Details
Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation.
It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value
OSV
Astro's `X-Forwarded-Host` is reflected without validation
osv·2025-10-10
CVE-2025-61925 [MEDIUM] Astro's `X-Forwarded-Host` is reflected without validation
Astro's `X-Forwarded-Host` is reflected without validation
### Summary
When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwarded-Host` header that is reflected when using the recommended `Astro.url` property as there is no validation that the value is safe.
### Details
Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation.
It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-10
Published