ghsa-5ff5-9fcw-vg88
Vulnerability from github
Published
2025-10-10 23:41
Modified
2025-10-10 23:41
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Summary
Astro's `X-Forwarded-Host` is reflected without validation
Details

Summary

When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.

Details

Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.

It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.

This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.

As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.

Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.

PoC

  • Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
  • nvm use
  • yarn run build
  • node ./dist/server/entry.mjs
  • curl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'
  • Observe that the response reflects the malicious X-Forwarded-Host header

For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.

Impact

This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "astro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-10T23:41:29Z",
    "nvd_published_at": "2025-10-10T20:15:38Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwarded-Host` header that is reflected when using the recommended `Astro.url` property as there is no validation that the value is safe.\n\n### Details\nAstro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. \n\nIt is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value.\n\nThis could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.\n\nAs this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.\n\nMany other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.\n\n### PoC\n- Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server\n- `nvm use`\n- `yarn run build`\n- `node ./dist/server/entry.mjs`\n- `curl --location \u0027http://localhost:4321/\u0027 --header \u0027X-Forwarded-Host: www.evil.com\u0027 --header \u0027Host: www.example.com\u0027`\n- Observe that the response reflects the malicious `X-Forwarded-Host` header\n\nFor the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above `curl` request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.\n\n### Impact\n\nThis could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.",
  "id": "GHSA-5ff5-9fcw-vg88",
  "modified": "2025-10-10T23:41:29Z",
  "published": "2025-10-10T23:41:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61925"
    },
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/commit/6ee63bfac4856f21b4d4633021b3d2ee059e553f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chisnet/minimal_dynamic_astro_server"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/withastro/astro"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Astro\u0027s `X-Forwarded-Host` is reflected without validation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.