CVE-2025-54793: Astros's duplicate trailing slash feature leads to an open redirection security issue

August 7, 2025 (updated August 8, 2025)

There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks.

This affects Astro >=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.

References

github.com/advisories/GHSA-cq8c-xv66-36gw
github.com/withastro/astro
github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f
github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw
nvd.nist.gov/vuln/detail/CVE-2025-54793

Code Behaviors & Features

Detect and mitigate CVE-2025-54793 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →