AI description
CVE-2025-61925 is a vulnerability in the Astro web framework prior to version 5.14.2. It stems from the application reflecting the value of the `X-Forwarded-Host` header without proper validation when using `Astro.url`. Web servers like Nginx often route requests via the `Host` header and forward other request headers. This allows an attacker to send a malicious request with a manipulated `X-Forwarded-Host` header, potentially redirecting canonical links or other URL-based functionality to a malicious site. The vulnerability can lead to issues such as canonical link manipulation and potential redirection of login credentials. While the attack initially affects only the malicious user, it can persist and affect subsequent users if the application is behind a caching proxy. A fix is available in Astro version 5.14.2, which implements proper validation of the `X-Forwarded-Host` header value. It's also possible to bypass the patch by sending an empty value in the `x-forwarded-host` header.
- Description
- Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- astro
CVSS 3.1
- Type
- Secondary
- Base score
- 6.5
- Impact score
- 2.5
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
- Severity
- MEDIUM
- security-advisories@github.com
- CWE-470
- Hype score
- Not currently trending
release of our new paper (w/ @inzo____) which resulted in CVE-2025-64525: Astro framework and standards weaponization from path-based middleware protection bypass to potential SSRF & XSS + full bypass of CVE-2025-61925 on @astrodotbuild https://t.co/xTO55gNFu4 https://t.co
@zhero___
13 Nov 2025
7266 Impressions
45 Retweets
170 Likes
72 Bookmarks
7 Replies
3 Quotes
CVE-2025-61925 Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is commo… https://t.co/zjkXYcJ7Nx
@CVEnew
10 Oct 2025
267 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "FFAAA369-C462-46C6-8029-8ADC566A1869",
"versionEndExcluding": "5.14.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]