Astro development server error page is vulnerable to reflected Cross-site Scripting

Severity:: Low

Description

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro’s development server error pages when the trailingSlash configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim’s browser context by crafting a malicious URL.

Recommendation

Update the astro package to the latest compatible version. Followings are version details:

Affected version(s): >= 5.2.0, < 5.15.6
Patched version(s): 5.15.6

References

GHSA-w2vj-39qv-7vh7
CVE-2025-64745
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

`vega-functions` vulnerable to Cross-site Scripting via `setdata` function - CVE-2025-66648
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - vega - CVE-2025-27793

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; astro

Anything's wrong? Let us know Last updated on November 27, 2025