CVE-2025-64525

Published Nov 13, 2025

Last updated 10 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-64525 affects the Astro web framework in versions 2.16.0 up to, but excluding, 5.15.5 when utilizing on-demand rendering. The vulnerability stems from the insecure use of the `x-forwarded-proto` and `x-forwarded-port` request headers without proper sanitization when constructing the URL. This insecure URL construction can lead to several consequences, including bypassing middleware-protected routes (only via `x-forwarded-proto`), denial-of-service (DoS) via cache poisoning (if a CDN is present), server-side request forgery (SSRF) (only via `x-forwarded-proto`), URL pollution potentially leading to cross-site scripting (SXSS) (if a CDN is present), and web application firewall (WAF) bypass. A patch is available in version 5.15.5.

Description: Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
Source: security-advisories@github.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 6.5
Impact score: 2.5
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-918

Hype score: Not currently trending

References