| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-7wau-f9fg-8fdf |
| vulnerability_id |
VCID-7wau-f9fg-8fdf |
| summary |
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61925 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.18433 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.1841 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.18412 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.18249 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61925 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-61925, GHSA-5ff5-9fcw-vg88
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7wau-f9fg-8fdf |
|
| 1 |
| url |
VCID-b4s1-kv89-3bb2 |
| vulnerability_id |
VCID-b4s1-kv89-3bb2 |
| summary |
Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-64765 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12787 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12796 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12805 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12705 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-64765 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-64765, GHSA-ggxq-hp9w-j794
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b4s1-kv89-3bb2 |
|
| 2 |
| url |
VCID-bz6r-5yej-3qha |
| vulnerability_id |
VCID-bz6r-5yej-3qha |
| summary |
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/withastro/astro |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/withastro/astro |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/withastro/astro/pull/16457 |
| reference_id |
16457 |
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T18:29:40Z/ |
|
|
| url |
https://github.com/withastro/astro/pull/16457 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-45028, GHSA-xr5h-phrj-8vxv
|
| risk_score |
2.8 |
| exploitability |
0.5 |
| weighted_severity |
5.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bz6r-5yej-3qha |
|
| 3 |
| url |
VCID-f73c-5tds-97ds |
| vulnerability_id |
VCID-f73c-5tds-97ds |
| summary |
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-64525 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01323 |
| scoring_system |
epss |
| scoring_elements |
0.80379 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.01323 |
| scoring_system |
epss |
| scoring_elements |
0.80387 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.01323 |
| scoring_system |
epss |
| scoring_elements |
0.80371 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.01323 |
| scoring_system |
epss |
| scoring_elements |
0.8031 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-64525 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-64525, GHSA-hr2q-hp5q-x767
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f73c-5tds-97ds |
|
| 4 |
| url |
VCID-fzh9-5617-wkd5 |
| vulnerability_id |
VCID-fzh9-5617-wkd5 |
| summary |
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-64745 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11614 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11644 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.1165 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11572 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-64745 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-64745, GHSA-w2vj-39qv-7vh7
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fzh9-5617-wkd5 |
|
| 5 |
| url |
VCID-g9xj-txj9-sug8 |
| vulnerability_id |
VCID-g9xj-txj9-sug8 |
| summary |
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-33769 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.1117 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11138 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11111 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11177 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-33769 |
|
| 1 |
| reference_url |
https://github.com/withastro/astro |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/withastro/astro |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-33769, GHSA-g735-7g2w-hh3f
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g9xj-txj9-sug8 |
|
| 6 |
| url |
VCID-ky4s-r5br-6ydw |
| vulnerability_id |
VCID-ky4s-r5br-6ydw |
| summary |
Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-54793 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01096 |
| scoring_system |
epss |
| scoring_elements |
0.78483 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.01096 |
| scoring_system |
epss |
| scoring_elements |
0.78472 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.01096 |
| scoring_system |
epss |
| scoring_elements |
0.78487 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.01096 |
| scoring_system |
epss |
| scoring_elements |
0.78405 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-54793 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/astro@5.12.8 |
| purl |
pkg:npm/astro@5.12.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7wau-f9fg-8fdf |
|
| 1 |
| vulnerability |
VCID-b4s1-kv89-3bb2 |
|
| 2 |
| vulnerability |
VCID-bz6r-5yej-3qha |
|
| 3 |
| vulnerability |
VCID-f73c-5tds-97ds |
|
| 4 |
| vulnerability |
VCID-fzh9-5617-wkd5 |
|
| 5 |
| vulnerability |
VCID-g9xj-txj9-sug8 |
|
| 6 |
| vulnerability |
VCID-pbvu-bf73-u3ek |
|
| 7 |
| vulnerability |
VCID-qhy1-e5yu-mff5 |
|
| 8 |
| vulnerability |
VCID-v78c-t2s8-skdb |
|
| 9 |
| vulnerability |
VCID-xbf5-y4wx-7ue1 |
|
| 10 |
| vulnerability |
VCID-y314-jwfh-bqdq |
|
| 11 |
| vulnerability |
VCID-yv41-uv7j-buf8 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/astro@5.12.8 |
|
|
| aliases |
CVE-2025-54793, GHSA-cq8c-xv66-36gw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ky4s-r5br-6ydw |
|
| 7 |
| url |
VCID-pbvu-bf73-u3ek |
| vulnerability_id |
VCID-pbvu-bf73-u3ek |
| summary |
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-41067 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.17078 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16936 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.17104 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.17092 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-41067 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-41067, GHSA-j687-52p2-xcff
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pbvu-bf73-u3ek |
|
| 8 |
| url |
VCID-qhy1-e5yu-mff5 |
| vulnerability_id |
VCID-qhy1-e5yu-mff5 |
| summary |
Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-64757 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.06303 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.06333 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.06312 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.06322 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-64757 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-64757, GHSA-x3h8-62x9-952g
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qhy1-e5yu-mff5 |
|
| 9 |
| url |
VCID-v78c-t2s8-skdb |
| vulnerability_id |
VCID-v78c-t2s8-skdb |
| summary |
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-65019 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.1025 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.1026 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.10211 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00033 |
| scoring_system |
epss |
| scoring_elements |
0.10264 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-65019 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-65019, GHSA-fvmw-cj7j-j39q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v78c-t2s8-skdb |
|
| 10 |
| url |
VCID-xbf5-y4wx-7ue1 |
| vulnerability_id |
VCID-xbf5-y4wx-7ue1 |
| summary |
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-64764 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00243 |
| scoring_system |
epss |
| scoring_elements |
0.47983 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00243 |
| scoring_system |
epss |
| scoring_elements |
0.47982 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00243 |
| scoring_system |
epss |
| scoring_elements |
0.47841 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00243 |
| scoring_system |
epss |
| scoring_elements |
0.47998 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-64764 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-64764, GHSA-wrwg-2hg8-v723
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xbf5-y4wx-7ue1 |
|
| 11 |
| url |
VCID-y314-jwfh-bqdq |
| vulnerability_id |
VCID-y314-jwfh-bqdq |
| summary |
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-66202, GHSA-whqg-ppgf-wp8c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y314-jwfh-bqdq |
|
| 12 |
| url |
VCID-yv41-uv7j-buf8 |
| vulnerability_id |
VCID-yv41-uv7j-buf8 |
| summary |
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-55303 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32758 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32735 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32555 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00134 |
| scoring_system |
epss |
| scoring_elements |
0.32737 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-55303 |
|
| 1 |
| reference_url |
https://github.com/withastro/astro |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
6.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/withastro/astro |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749 |
| reference_id |
GHSA-xf8x-j4p2-f749 |
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-19T20:49:42Z/ |
|
|
| url |
https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/astro@5.13.2 |
| purl |
pkg:npm/astro@5.13.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7wau-f9fg-8fdf |
|
| 1 |
| vulnerability |
VCID-b4s1-kv89-3bb2 |
|
| 2 |
| vulnerability |
VCID-bz6r-5yej-3qha |
|
| 3 |
| vulnerability |
VCID-f73c-5tds-97ds |
|
| 4 |
| vulnerability |
VCID-fzh9-5617-wkd5 |
|
| 5 |
| vulnerability |
VCID-g9xj-txj9-sug8 |
|
| 6 |
| vulnerability |
VCID-pbvu-bf73-u3ek |
|
| 7 |
| vulnerability |
VCID-qhy1-e5yu-mff5 |
|
| 8 |
| vulnerability |
VCID-v78c-t2s8-skdb |
|
| 9 |
| vulnerability |
VCID-xbf5-y4wx-7ue1 |
|
| 10 |
| vulnerability |
VCID-y314-jwfh-bqdq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/astro@5.13.2 |
|
|
| aliases |
CVE-2025-55303, GHSA-xf8x-j4p2-f749
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yv41-uv7j-buf8 |
|
|
|---|