VYPR
← All advisories
Low severityNVD Advisory· Published Nov 13, 2025· Updated Nov 13, 2025

Astro development server error page vulnerable to reflected Cross-site Scripting

CVE-2025-64745

Description

Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the trailingSlash configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
astronpm
>= 5.2.0, < 5.15.65.15.6

Affected products

1

Patches

1
790d9425f39b

Merge commit from fork

https://github.com/withastro/astroChris SwithinbankNov 13, 2025via ghsa
commit
1 file changed · +3 2
  • packages/astro/src/template/4xx.ts+3 2 modified
    @@ -134,10 +134,11 @@ export function trailingSlashMismatchTemplate(
 	pathname: string,
 	trailingSlash: 'always' | 'never' | 'ignore',
 ) {
-	const corrected =
+	const corrected = escape(
 		trailingSlash === 'always'
 			? appendForwardSlash(pathname)
-			: removeTrailingForwardSlash(pathname);
+			: removeTrailingForwardSlash(pathname),
+	);
 	return template({
 		pathname,
 		statusCode: 404,

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.