CVE-2025-61925: Astro's `X-Forwarded-Host` is reflected without validation

October 10, 2025

When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.

References

github.com/Chisnet/minimal_dynamic_astro_server
github.com/advisories/GHSA-5ff5-9fcw-vg88
github.com/withastro/astro
github.com/withastro/astro/commit/6ee63bfac4856f21b4d4633021b3d2ee059e553f
github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88
nvd.nist.gov/vuln/detail/CVE-2025-61925

Code Behaviors & Features

Detect and mitigate CVE-2025-61925 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →