cbcvebase.
CVE-2025-64525
published 2025-11-13

CVE-2025-64525: Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and…

PriorityP347medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EXPLOIT
EPSS
1.09%
61.1th percentile
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.

Affected

2 ranges
VendorProductVersion rangeFixed in
astroastro>= 2.16.0 < 5.15.55.15.5
astroastro>= 2.16.0 < 5.15.55.15.5

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
ghsa6.5MEDIUM
osv6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.