Login Sign Up

CVE-2025-61925

6.5 MEDIUM

📋 TL;DR

Astro web framework versions before 5.14.2 reflect unvalidated X-Forwarded-Host header values in Astro.url output, allowing attackers to manipulate URLs used for canonical links, login forms, or other purposes. This affects users running Astro in dynamic rendering mode behind caching proxies, where malicious values could be cached and served to subsequent users.

💻 Affected Systems

Products:
  • Astro web framework
Versions: All versions prior to 5.14.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects dynamic rendering mode when behind caching proxies that forward X-Forwarded-Host headers.

📦 What is this software?

Astro by Astro

View all CVEs affecting Astro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect login credentials or sensitive form submissions to malicious servers, potentially leading to credential theft or session hijacking.

🟠

Likely Case

Canonical links and other URL references could be manipulated to point to malicious sites, potentially affecting SEO or enabling phishing attacks.

🟢

If Mitigated

With proper validation or patching, the header reflection is prevented, eliminating the injection vector.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires ability to send HTTP requests with manipulated headers and a caching proxy in the infrastructure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.14.2

Vendor Advisory: https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88

Restart Required: No

Instructions:

1. Update Astro package to version 5.14.2 or later using npm: npm update astro@^5.14.2 2. Verify the update with: npm list astro 3. Deploy the updated application.

🔧 Temporary Workarounds

Header validation middleware

all

Implement custom middleware to validate or strip X-Forwarded-Host headers before they reach Astro.

Disable caching for dynamic content

all

Configure caching proxies to not cache pages that use Astro.url in dynamic rendering mode.

🧯 If You Can't Patch

  • Implement reverse proxy or WAF rules to strip or validate X-Forwarded-Host headers
  • Audit all uses of Astro.url in code and implement manual validation

🔍 How to Verify

Check if Vulnerable:

Check if Astro version is below 5.14.2 and application uses Astro.url in dynamic rendering mode behind a caching proxy.

Check Version:

npm list astro | grep astro

Verify Fix Applied:

Test that sending requests with malicious X-Forwarded-Host headers no longer affects Astro.url output values.

📡 Detection & Monitoring

Log Indicators:

  • Unusual X-Forwarded-Host header values in request logs
  • Mismatches between Host and X-Forwarded-Host headers

Network Indicators:

  • HTTP requests containing both Host and X-Forwarded-Host headers with different values

SIEM Query:

http.headers:X-Forwarded-Host AND NOT http.headers:Host=http.headers:X-Forwarded-Host

📊 Metadata

CVE ID: CVE-2025-61925
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CWE: CWE-470
EPSS Score: 0.03% exploit probability (8.3th percentile)
Published: October 10, 2025
Last Updated: December 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61925, you might also want to check these:

CVE-2025-34393 9.8

This vulnerability in Barracuda Service Center allows attackers to execute arbitrary code remotely b...

Same vulnerability type (CWE-470)
CVE-2025-53693 9.8

This vulnerability allows attackers to poison the cache in Sitecore Experience Manager/Platform by e...

Same vulnerability type (CWE-470)
CVE-2023-6943 9.8

This vulnerability allows remote unauthenticated attackers to execute arbitrary code on affected Mit...

Same vulnerability type (CWE-470)