CVE-2025-61925
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-12-04
Generated
2026-05-07
AI Q&A
2025-10-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-61925
EUVD
EUVD-2025-33766
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
astro astro to 5.14.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Astro web framework versions prior to 5.14.2 involves the reflection of the 'X-Forwarded-Host' header value in the output of 'Astro.url' without validation. A malicious user can send a request with a mismatched 'Host' and 'X-Forwarded-Host' header, causing Astro to return the malicious 'X-Forwarded-Host' value. This can manipulate URLs generated by 'Astro.url', such as canonical links or login/registration URLs, potentially redirecting users to malicious sites. If a caching proxy is used, the malicious value could be cached and served to other users.


How can this vulnerability impact me? :

The vulnerability can lead to URL manipulation, allowing attackers to redirect users to malicious sites through manipulated canonical links or login/registration URLs. This could result in credential theft or phishing attacks. Additionally, if a caching proxy is used, the malicious URL could be cached and served to other users, increasing the impact beyond the initial attacker.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Astro to version 5.14.2 or later, as this version contains a fix for the vulnerability. Additionally, consider implementing validation or an allowlist for the 'X-Forwarded-Host' header to prevent malicious values from being reflected in output. If using a caching proxy, ensure that cached pages do not persist malicious header values.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart