Description
When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.14.3
- Patched version(s): 5.14.3
References
Related Issues
- Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 - CVE-2025-66202
- Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values - CVE-2025-64765
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Astro allows unauthorized third-party images in _image endpoint - CVE-2025-55303
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on October 10, 2025