CVE-2025-64525
published 2025-11-13CVE-2025-64525: Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and…
PriorityP347medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EXPLOIT
EPSS
1.09%
61.1th percentile
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astro | astro | >= 2.16.0 < 5.15.5 | 5.15.5 |
| astro | astro | >= 2.16.0 < 5.15.5 | 5.15.5 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
ghsa6.5MEDIUM
osv6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
osv·2025-11-13·CVSS 6.5
CVE-2025-64525 [MEDIUM] Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
## Summary
In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are:
- Middleware-based protected route bypass (only via `x-forwarded-proto`)
- DoS via cache poisoning (if a CDN is present)
- SSRF (only via `x-forwarded-proto`)
- URL pollution (potential SXSS, if a CDN is present)
- WAF bypass
## Details
The `x-forwarded-proto` and `x-forwarded-port` headers are used without sanitization in two parts of the Astro server code. The most important is in t
GHSA
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
ghsa·2025-11-13·CVSS 6.5
CVE-2025-64525 [MEDIUM] CWE-918 Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
## Summary
In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are:
- Middleware-based protected route bypass (only via `x-forwarded-proto`)
- DoS via cache poisoning (if a CDN is present)
- SSRF (only via `x-forwarded-proto`)
- URL pollution (potential SXSS, if a CDN is present)
- WAF bypass
## Details
The `x-forwarded-proto` and `x-forwarded-port` headers are used without sanitization in two parts of the Astro server code. The most important is in t
No detection rules found.
Nuclei
Astro - Broken Access Control
nuclei·CVSS 6.5
CVE-2025-64525 [MEDIUM] Astro - Broken Access Control
Astro - Broken Access Control
Astro 2.16.0 to 5.15.5 contains a broken access control caused by insecure use of unsanitized x-forwarded-proto and x-forwarded-port headers in URL building, letting attackers bypass middleware protection, cause DoS, SSRF, and URL pollution, exploit requires crafted headers.
Template:
id: CVE-2025-64525
info:
name: Astro - Broken Access Control
author: zhero___,DhiyaneshDK
severity: medium
description: |
Astro 2.16.0 to 5.15.5 contains a broken access control caused by insecure use of unsanitized x-forwarded-proto and x-forwarded-port headers in URL building, letting attackers bypass middleware protection, cause DoS, SSRF, and URL pollution, exploit requires crafted headers.
impact: |
Attackers can bypass route protection, cause denial of service, perform
https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767
2025-11-13
Published