Moderate severityNVD Advisory· Published Nov 13, 2025· Updated Nov 13, 2025
Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass
CVE-2025-64525
Description
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via x-forwarded-proto), DoS via cache poisoning (if a CDN is present), SSRF (only via x-forwarded-proto), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
astronpm | >= 2.16.0, < 5.15.5 | 5.15.5 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-hr2q-hp5q-x767ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64525ghsaADVISORY
- github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.tsghsax_refsource_MISCWEB
- github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.tsghsax_refsource_MISCWEB
- github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4ghsax_refsource_MISCWEB
- github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.