CVE-2026-25545
SSRF Vulnerability in Astro SSR Error Pages Allows Internal Access
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| astro | @astrojs/node | to 9.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25545 is a Server-Side Request Forgery (SSRF) vulnerability in the Astro web framework, specifically affecting versions prior to 9.5.4 of the @astrojs/node package.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs when server-side rendered (SSR) pages return an error with a prerendered custom error page (such as 404.astro or 500.astro). Astro fetches the error page internally based on the Host HTTP header without properly validating or normalizing it.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by sending a request with a malicious Host header pointing to their own server. Astro will fetch the attacker's server's error page, which can redirect to any internal or localhost URL. Because redirects are followed and the response body is returned without validation, the attacker can read sensitive internal resources or metadata by proxying the response through the vulnerable server."}, {'type': 'paragraph', 'content': 'This requires the attacker to have direct access to the server without Host header validation (for example, by bypassing proxies or accessing the origin IP directly) and for the SSR error rendering with a prerendered custom error page to be triggered.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 9.5.4 by properly validating and restricting the Host header and preventing unsafe fetches based on untrusted input.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to perform SSRF attacks by sending requests with arbitrary Host headers to the vulnerable Astro server.
- The attacker can read internal network resources, including sensitive cloud metadata services or localhost services, by causing the server to fetch and return internal URLs.
- No privileges or user interaction are required to exploit this vulnerability.
- The attack complexity is high because it requires direct access to the server without Host header validation and specific error conditions to be met.
- The confidentiality impact is high, as sensitive internal information can be exposed.
- The integrity impact is low and availability impact is none.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for requests to the Astro server that include unusual or attacker-controlled Host headers, especially those that cause the server to fetch external or internal URLs during server-side rendering of error pages.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to inspect HTTP requests for suspicious Host headers that differ from expected domain names or IP addresses.'}, {'type': 'paragraph', 'content': 'Additionally, you can analyze server logs for requests that trigger SSR error pages (such as 500 errors) combined with Host headers pointing to unexpected domains or IPs.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect this vulnerability include:'}, {'type': 'list_item', 'content': 'Using grep or similar tools to search web server logs for suspicious Host headers, e.g.:'}, {'type': 'list_item', 'content': "grep -i 'Host: attacker.tld' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "grep -E 'Host: (localhost|127\\.0\\.0\\.1|169\\.254\\.169\\.254)' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': 'Using network monitoring tools (e.g., tcpdump) to capture HTTP requests and inspect Host headers:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Host:'"}, {'type': 'paragraph', 'content': 'Because the vulnerability requires the server to fetch URLs based on the Host header during SSR error rendering, detecting unexpected or attacker-controlled Host headers in requests is key.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the @astrojs/node package to version 9.5.4 or later, where this SSRF vulnerability has been fixed.
Additional mitigation measures include:
- Implement strict validation and normalization of the Host header to ensure it only contains expected and safe values.
- Avoid fetching error pages based on untrusted Host headers or ensure that fetch responses are properly validated and restricted to prevent following redirects to internal or attacker-controlled URLs.
- Restrict direct access to the server to prevent attackers from bypassing proxies and sending arbitrary Host headers.