Astro's `X-Forwarded-Host` is reflected with no validation
Description
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation. It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value. This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
astronpm | < 5.14.3 | 5.14.3 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-5ff5-9fcw-vg88ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61925ghsaADVISORY
- github.com/withastro/astro/commit/6ee63bfac4856f21b4d4633021b3d2ee059e553fghsaWEB
- github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.