Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass

Severity:: Medium

Description

In impacted versions of Astro using on-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL.

Recommendation

Update the astro package to the latest compatible version. Followings are version details:

Affected version(s): >= 2.16.0, < 5.15.5
Patched version(s): 5.15.5

References

GHSA-hr2q-hp5q-x767
CVE-2025-64525
CWE-918
CAPEC-310
OWASP 2021-A10
OWASP 2021-A6

Related Issues

Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
Astro allows unauthorized third-party images in _image endpoint - CVE-2025-55303
Astros's duplicate trailing slash feature leads to an open redirection security issue - CVE-2025-54793

Tags:: npm; astro

Anything's wrong? Let us know Last updated on November 13, 2025