CVE-2025-64525 (GCVE-0-2025-64525)
Vulnerability from cvelistv5
Published
2025-11-13 15:58
Modified
2025-11-13 16:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64525",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T16:15:07.067807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T16:15:18.417Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.16.0, \u003c 5.15.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T15:58:16.797Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767"
},
{
"name": "https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4"
},
{
"name": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121"
},
{
"name": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97"
}
],
"source": {
"advisory": "GHSA-hr2q-hp5q-x767",
"discovery": "UNKNOWN"
},
"title": "Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64525",
"datePublished": "2025-11-13T15:58:16.797Z",
"dateReserved": "2025-11-05T21:15:39.401Z",
"dateUpdated": "2025-11-13T16:15:18.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-64525\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-13T16:15:56.447\",\"lastModified\":\"2025-11-25T15:14:02.570\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"2.16.0\",\"versionEndExcluding\":\"5.15.5\",\"matchCriteriaId\":\"1C5C6C54-B40E-40C9-B3EF-905E2A559278\"}]}]}],\"references\":[{\"url\":\"https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64525\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-13T16:15:07.067807Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-13T16:15:14.247Z\"}}], \"cna\": {\"title\": \"Astro: URL manipulation via unsanitized headers leads to path-based middleware protections bypass, potential SSRF/cache-poisoning, CVE-2025-61925 bypass\", \"source\": {\"advisory\": \"GHSA-hr2q-hp5q-x767\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"withastro\", \"product\": \"astro\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.16.0, \u003c 5.15.5\"}]}], \"references\": [{\"url\": \"https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767\", \"name\": \"https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4\", \"name\": \"https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121\", \"name\": \"https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97\", \"name\": \"https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-13T15:58:16.797Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-64525\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-13T16:15:18.417Z\", \"dateReserved\": \"2025-11-05T21:15:39.401Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-13T15:58:16.797Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
ghsa-hr2q-hp5q-x767
Vulnerability from github
Published
2025-11-13 22:46
Modified
2025-11-13 22:46
Severity ?
VLAI Severity ?
Summary
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
Details
Summary
In impacted versions of Astro using on-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are:
- Middleware-based protected route bypass (only via
x-forwarded-proto) - DoS via cache poisoning (if a CDN is present)
- SSRF (only via
x-forwarded-proto) - URL pollution (potential SXSS, if a CDN is present)
- WAF bypass
Details
The x-forwarded-proto and x-forwarded-port headers are used without sanitization in two parts of the Astro server code. The most important is in the createRequest() function. Any configuration, including the default one, is affected:
https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97 https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121
These header values are then used directly to construct URLs.
By injecting a payload at the protocol level during URL creation (via the x-forwarded-proto header), the entire URL can be rewritten, including the host, port and path, and then pass the rest of the URL, the real hostname and path, as a query so that it doesn't affect (re)routing.
If the following header value is injected when requesting the path /ssr:
x-forwarded-proto: https://www.malicious-url.com/?tank=
The complete URL that will be created is: https://www.malicious-url.com/?tank=://localhost/ssr
As a reminder, URLs are created like this:
url = new URL(`${protocol}://${hostnamePort}${req.url}`);
The value is injected at the beginning of the string (${protocol}), and ends with a query ?tank= whose value is the rest of the string, ://${hostnamePort}${req.url}.
This way there is control over the routing without affecting the path, and the URL can be manipulated arbitrarily. This behavior can be exploited in various ways, as will be seen in the PoC section.
The same logic applies to x-forwarded-port, with a few differences.
[!NOTE] The
createRequestfunction is called every time a non-static page is requested. Therefore, all non-static pages are exploitable for reproducing the attack.
PoC
The PoC will be tested with a minimal repository:
- Latest Astro version at the time (
2.16.0) - The Node adapter
- Two simple pages, one SSR (
/ssr), the other simulating an admin page (/admin) protected by a middleware - A middleware example copied and pasted from the official Astro documentation to protect the admin page based on the path
Middleware-based protected route bypass - x-forwarded-proto only
The middleware has been configured to protect the /admin route based on the official documentation:
```ts // src/middleware.ts import { defineMiddleware } from "astro/middleware";
export const onRequest = defineMiddleware(async (context, next) => { const isAuthed = false; // auth logic if (context.url.pathname === "/admin" && !isAuthed) { return context.redirect("/"); } return next(); }); ```
-
When tryint to access
/adminthe attacker is naturally redirected :sh curl -i http://localhost:4321/admin -
The attackr can bypass the middleware path check using a malicious header value:
sh curl -i -H "x-forwarded-proto: x:admin?" http://localhost:4321/admin
How is this possible?
Here, with the payload x:admin?, the attacker can use the URL API parser to their advantage:
x:is considered the protocol- Since there is no
//, the parser considers there to be no authority, and everything before the?character is therefore considered part of the path:admin
During a path-based middleware check, the path value begins with a /: context.url.pathname === "/admin". However, this is not the case with this payload; context.url.pathname === "admin", the absence of a slash satisfies both the middleware check and the router and consequently allows us to bypass the protection and access the page.
SSRF
As seen, the request URL is built from untrusted input via the x-forwarded-protocol header, if it turns out that this URL is subsequently used to perform external network calls, for an API for example, this allows an attacker to supply a malicious URL that the server will fetch, resulting in server-side request forgery (SSRF).
Example of code reusing the "origin" URL, concatenating it to the API endpoint :
DoS via cache poisoning
If a CDN is present, it is possible to force the caching of bad pages/resources, or 404 pages on the application routes, rendering the application unusable.
A 404 cab be forced, causing an error on the /ssr page like this : curl -i -H "x-forwarded-proto: https://localhost/vulnerable?" http://localhost:4321/ssr
Same logic applies to x-forwarded-port : curl -i -H "x-forwarded-port: /vulnerable?" http://localhost:4321/ssr
How is this possible?
The router sees the request for the path /vulnerable, which does not exist, and therefore returns a 404, while the potential CDN sees /ssr and can then cache the 404 response, consequently serving it to all users requesting the path /ssr.
URL pollution
The exploitability of the following is also contingent on the presence of a CDN, and is therefore cache poisoning.
If the value of request.url is used to create links within the page, this can lead to Stored XSS with x-forwarded-proto and the following value:
x-forwarded-proto: javascript:alert(document.cookie)//
results in the following URL object:
It is also possible to inject any link, always, if the value of request.url is used on the server side to create links.
x-forwarded-proto: https://www.malicious-site.com/bad?
The attacker is more limited with x-forwarded-port
If the value of request.url is used to create links within the page, this can lead to broken links, with the header and the following value:
X-Forwarded-Port: /nope?
Example of an Astro website:
WAF bypass
For this section, Astro invites users to read previous research on the React-Router/Remix framework, in the section "Exploitation - WAF bypass and escalations". This research deals with a similar case, the difference being that the vulnerable header was x-forwarded-host in their case:
https://zhero-web-sec.github.io/research-and-things/react-router-and-the-remixed-path
Note: A section addressing DoS attacks via cache poisoning using the same vector was also included there.
CVE-2025-61925 complete bypass
It is possible to completely bypass the vulnerability patch related to the X-Forwarded-Host header.
By sending x-forwarded-host with an empty value, the forwardedHostname variable is assigned an empty string. Then, during the subsequent check, the condition fails because forwardedHostname returns false, its value being an empty string:
``` if (forwardedHostname && !App.validateForwardedHost(...))
```
Consequently, the implemented check is bypassed. From this point on, since the request has no host (its value being an empty string), the path value is retrieved by the URL parser to set it as the host. This is because the http/https schemes are considered special schemes by the WHATWG URL Standard Specification, requiring an authority state.
From there, the following request on the example SSR application (astro repo) yields an SSRF:
empty
x-forwarded-host + the target host in the path
Credits
- Allam Rachid (zhero;)
- Allam Yasser (inzo)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "astro"
},
"ranges": [
{
"events": [
{
"introduced": "2.16.0"
},
{
"fixed": "5.15.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64525"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-13T22:46:24Z",
"nvd_published_at": "2025-11-13T16:15:56Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nIn impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are:\n\n- Middleware-based protected route bypass (only via `x-forwarded-proto`)\n- DoS via cache poisoning (if a CDN is present)\n- SSRF (only via `x-forwarded-proto`)\n- URL pollution (potential SXSS, if a CDN is present) \n- WAF bypass\n\n## Details\n\nThe `x-forwarded-proto` and `x-forwarded-port` headers are used without sanitization in two parts of the Astro server code. The most important is in the `createRequest()` function. Any configuration, including the default one, is affected: \n\n[https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97](https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97)\n[https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121](https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121)\n\nThese header values are then used directly to construct URLs.\n\nBy injecting a payload at the protocol level during URL creation (via the `x-forwarded-proto` header), the entire URL can be rewritten, including the host, port and path, and then pass the rest of the URL, the real hostname and path, as a query so that it doesn\u0027t affect (re)routing.\n\nIf the following header value is injected when requesting the path `/ssr`:\n\n```\nx-forwarded-proto: https://www.malicious-url.com/?tank=\n```\n\nThe complete URL that will be created is: `https://www.malicious-url.com/?tank=://localhost/ssr`\n\nAs a reminder, URLs are created like this:\n\n```\nurl = new URL(`${protocol}://${hostnamePort}${req.url}`);\n```\n\nThe value is injected at the beginning of the string (`${protocol}`), and ends with a query `?tank=` whose value is the rest of the string, `://${hostnamePort}${req.url}`.\n\nThis way there is control over the routing without affecting the path, and the URL can be manipulated arbitrarily. This behavior can be exploited in various ways, as will be seen in the PoC section.\n\nThe same logic applies to `x-forwarded-port`, with a few differences.\n\n\u003e [!NOTE]\n\u003e The `createRequest` function is called every time a non-static page is requested. Therefore, all non-static pages are exploitable for reproducing the attack.\n\n## PoC\n\nThe PoC will be tested with a minimal repository:\n\n- Latest Astro version at the time (`2.16.0`)\n- The Node adapter\n- Two simple pages, one SSR (`/ssr`), the other simulating an admin page (`/admin`) protected by a middleware\n- A middleware example copied and pasted from the official Astro documentation to protect the admin page based on the path\n\n[Download the PoC repository](https://github.com/zhero-web-sec/astro-app)\n\n### Middleware-based protected route bypass - x-forwarded-proto only\n\nThe middleware has been configured to protect the `/admin` route based on [the official documentation](https://docs.astro.build/en/guides/authentication/):\n\n```ts\n// src/middleware.ts\nimport { defineMiddleware } from \"astro/middleware\";\n\nexport const onRequest = defineMiddleware(async (context, next) =\u003e {\n const isAuthed = false; // auth logic\n if (context.url.pathname === \"/admin\" \u0026\u0026 !isAuthed) {\n return context.redirect(\"/\");\n }\n return next();\n});\n```\n\n1. When tryint to access `/admin` the attacker is naturally redirected :\n ```sh\n curl -i http://localhost:4321/admin\n ```\n \u003cimg width=\"620\" height=\"102\" alt=\"image\" src=\"https://github.com/user-attachments/assets/15a7bffc-ee56-4ed9-84b2-091cf4d78351\" /\u003e\n\n2. The attackr can bypass the middleware path check using a malicious header value:\n ```sh\n curl -i -H \"x-forwarded-proto: x:admin?\" http://localhost:4321/admin\n ```\n \u003cimg width=\"1348\" height=\"159\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d9d9ac1a-5efa-452b-981e-efea8a08d089\" /\u003e\n\n#### How \u200b\u200bis this possible?\n\nHere, with the payload `x:admin?`, the attacker can use the URL API parser to their advantage:\n\n- `x:` is considered the protocol\n- Since there is no `//`, the parser considers there to be no authority, and everything before the `?` character is therefore considered part of the path: `admin`\n\nDuring a path-based middleware check, the *path* value begins with a `/`: `context.url.pathname === \"/admin\"`. However, this is not the case with this payload; `context.url.pathname === \"admin\"`, the absence of a slash satisfies both the middleware check and the router and consequently allows us to bypass the protection and access the page.\n\n### SSRF\n\nAs seen, the request URL is built from untrusted input via the `x-forwarded-protocol` header, if it turns out that this URL is subsequently used to perform external network calls, for an API for example, this allows an attacker to supply a malicious URL that the server will fetch, resulting in server-side request forgery (SSRF).\n\nExample of code reusing the \"origin\" URL, concatenating it to the API endpoint :\n\n\u003cimg width=\"601\" height=\"418\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9c374b2c-841c-48d6-98f1-3b3f5b060802\" /\u003e\n\n### DoS via cache poisoning\n\nIf a CDN is present, it is possible to force the caching of bad pages/resources, or 404 pages on the application routes, rendering the application unusable.\n\nA `404` cab be forced, causing an error on the `/ssr` page like this : `curl -i -H \"x-forwarded-proto: https://localhost/vulnerable?\" http://localhost:4321/ssr`\n\u003cimg width=\"998\" height=\"108\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4bab58e5-3045-4e25-9aa2-2f72a0832d86\" /\u003e\n\nSame logic applies to `x-forwarded-port` : `curl -i -H \"x-forwarded-port: /vulnerable?\" http://localhost:4321/ssr`\n\n#### How \u200b\u200bis this possible?\n\nThe router sees the request for the path `/vulnerable`, which does not exist, and therefore returns a `404`, while the potential CDN sees `/ssr` and can then cache the `404` response, consequently serving it to all users requesting the path `/ssr`.\n\n### URL pollution\n\nThe exploitability of the following is also contingent on the presence of a CDN, and is therefore cache poisoning.\n\nIf the value of `request.url` is used to create links within the page, this can lead to Stored XSS with `x-forwarded-proto` and the following value:\n\n```\nx-forwarded-proto: javascript:alert(document.cookie)//\n```\n\nresults in the following URL object:\n\n\u003cimg width=\"444\" height=\"202\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c2990626-da5b-4868-9093-dbb9b34780ba\" /\u003e\n\nIt is also possible to inject any link, always, if the value of `request.url` is used on the server side to create links.\n\n```\nx-forwarded-proto: https://www.malicious-site.com/bad?\n```\n\n**The attacker is more limited with `x-forwarded-port`**\n\nIf the value of `request.url` is used to create links within the page, this can lead to broken links, with the header and the following value:\n\n```\nX-Forwarded-Port: /nope?\n```\n\nExample of an Astro website: \n\u003cimg width=\"1627\" height=\"298\" alt=\"Capture d\u2019e\u0301cran 2025-11-03 a\u0300 22 07 14\" src=\"https://github.com/user-attachments/assets/02de5e67-f48d-4bf4-810d-6b0714ad2c12\" /\u003e\n\n### WAF bypass\n\nFor this section, Astro invites users to read previous research on the React-Router/Remix framework, in the section \"Exploitation - WAF bypass and escalations\". This research deals with a similar case, the difference being that the vulnerable header was `x-forwarded-host` in their case:\n\n[https://zhero-web-sec.github.io/research-and-things/react-router-and-the-remixed-path](https://zhero-web-sec.github.io/research-and-things/react-router-and-the-remixed-path)\n\nNote: A section addressing DoS attacks via cache poisoning using the same vector was also included there.\n\n### CVE-2025-61925 complete bypass\n\nIt is possible to completely bypass the vulnerability patch related to the `X-Forwarded-Host` header.\n\nBy sending `x-forwarded-host` with an empty value, the `forwardedHostname` variable is assigned an empty string. Then, during [the subsequent check](https://github.com/withastro/astro/blob/7a5f28006e9b1f6ad77c7884991ba551ca9ff35b/packages/astro/src/core/app/node.ts#L107), the condition fails because `forwardedHostname ` returns `false`, its value being an empty string:\n\n```\nif (forwardedHostname \u0026\u0026 !App.validateForwardedHost(...))\n\n```\n\nConsequently, the implemented check is bypassed. From this point on, since the request has no `host` (*its value being an empty string*), the path value is retrieved by the URL parser to set it as the `host`. This is because the `http/https` schemes are considered special schemes by the [WHATWG URL Standard Specification](https://url.spec.whatwg.org/#scheme-state), requiring an `authority state`.\n\nFrom there, the following request on the example SSR application (astro repo) yields an SSRF:\n\u003cimg width=\"1878\" height=\"456\" alt=\"Capture d\u2019e\u0301cran 2025-11-06 a\u0300 21 18 26\" src=\"https://github.com/user-attachments/assets/c5cca89c-9c65-46f6-bf70-cd7a90a9e0d9\" /\u003e\n*empty `x-forwarded-host` + the target `host` in the path*\n\n## Credits\n\n- Allam Rachid ([zhero;](https://zhero-web-sec.github.io/research-and-things/))\n- Allam Yasser (inzo)",
"id": "GHSA-hr2q-hp5q-x767",
"modified": "2025-11-13T22:46:24Z",
"published": "2025-11-13T22:46:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64525"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4"
},
{
"type": "PACKAGE",
"url": "https://github.com/withastro/astro"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass"
}
fkie_cve-2025-64525
Vulnerability from fkie_nvd
Published
2025-11-13 16:15
Modified
2025-11-25 15:14
Severity ?
Summary
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121 | Product | |
| security-advisories@github.com | https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97 | Product | |
| security-advisories@github.com | https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4 | Patch | |
| security-advisories@github.com | https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1C5C6C54-B40E-40C9-B3EF-905E2A559278",
"versionEndExcluding": "5.15.5",
"versionStartIncluding": "2.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch."
}
],
"id": "CVE-2025-64525",
"lastModified": "2025-11-25T15:14:02.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-13T16:15:56.447",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…