CVE-2025-59837

Published: Oct 28, 2025Modified: Nov 25, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.7

Source: NVD

Description

Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10.

Affected (1)

Products: Astro: Astro

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Astro Astro	From 5.13.4 to 5.13.10

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4

Source: security-advisories@github.com

Patch

https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252

Source: security-advisories@github.com

Patch

https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2

Source: security-advisories@github.com

ExploitThird Party Advisory

Timeline

No history available yet.