CVE-2025-64525: Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
In impacted versions of Astro using on-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are:
- Middleware-based protected route bypass (only via
x-forwarded-proto) - DoS via cache poisoning (if a CDN is present)
- SSRF (only via
x-forwarded-proto) - URL pollution (potential SXSS, if a CDN is present)
- WAF bypass
References
- github.com/advisories/GHSA-hr2q-hp5q-x767
- github.com/withastro/astro
- github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts
- github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts
- github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4
- github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767
- nvd.nist.gov/vuln/detail/CVE-2025-64525
Code Behaviors & Features
Detect and mitigate CVE-2025-64525 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →