Описание
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via x-forwarded-proto), DoS via cache poisoning (if a CDN is present), SSRF (only via x-forwarded-proto), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
Ссылки
- Product
- Product
- Patch
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 2.16.0 (включая) до 5.15.5 (исключая)
cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 83%
0.02044
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-918
Связанные уязвимости
CVSS3: 6.5
github
около 1 месяца назад
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
EPSS
Процентиль: 83%
0.02044
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-918