Astro: Duplicate trailing slash feature can lead to Open Redirects
Description
Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with //.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
astronpm | >= 5.2.0, < 5.12.8 | 5.12.8 |
Affected products
1Patches
13 files changed · +10 −1
.changeset/easy-turtles-kiss.md+6 −0 added@@ -0,0 +1,6 @@ +--- +'@astrojs/internal-helpers': patch +'astro': patch +--- + +Adds `//` to list of internal path prefixes that do not have automated trailing slash handling
packages/astro/test/ssr-trailing-slash.test.js+3 −0 modified@@ -116,6 +116,7 @@ describe('Redirecting trailing slashes in SSR', () => { '/_server-islands/foo', '/_actions/foo', '/.netlify/image?url=http://example.com/foo.jpg', + '//target.example/path', ]) { const request = new Request(`http://example.com${path}`); const response = await app.render(request); @@ -213,6 +214,7 @@ describe('Redirecting trailing slashes in SSR', () => { '/_server-islands/foo/', '/_actions/foo/', '/.netlify/image/?url=http://example.com/foo.jpg', + '//target.example/path/', ]) { const request = new Request(`http://example.com${path}/`); const response = await app.render(request); @@ -271,6 +273,7 @@ describe('Redirecting trailing slashes in SSR', () => { '/_server-islands/foo//', '/_actions/foo//', '/.netlify/image//?url=http://example.com/foo.jpg', + '//target.example/path//', ]) { const request = new Request(`http://example.com${path}/`); const response = await app.render(request);
packages/internal-helpers/src/path.ts+1 −1 modified@@ -69,7 +69,7 @@ function isString(path: unknown): path is string { return typeof path === 'string' || path instanceof String; } -const INTERNAL_PREFIXES = new Set(['/_', '/@', '/.']); +const INTERNAL_PREFIXES = new Set(['/_', '/@', '/.', '//']); const JUST_SLASHES = /^\/{2,}$/; export function isInternalPath(path: string) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-cq8c-xv66-36gwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54793ghsaADVISORY
- github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48fghsax_refsource_MISCWEB
- github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.