VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-j82a-5r9t-mbht

Essentials
Severities (19)
References (7)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-j82a-5r9t-mbht
Aliases	CVE-2025-59837 GHSA-qcpr-679q-rhm2
Summary	Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-918	Server-Side Request Forgery (SSRF)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2025-59837
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2025-59837
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2025-59837
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2025-59837
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-qcpr-679q-rhm2
cvssv3.1	7.2	https://github.com/withastro/astro
generic_textual	HIGH	https://github.com/withastro/astro
cvssv3.1	7.2	https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
generic_textual	HIGH	https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
ssvc	Track	https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
cvssv3.1	7.2	https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
generic_textual	HIGH	https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
ssvc	Track	https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
cvssv3.1	7.2	https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
cvssv3.1_qr	HIGH	https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
generic_textual	HIGH	https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
ssvc	Track	https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
cvssv3.1	7.2	https://nvd.nist.gov/vuln/detail/CVE-2025-59837
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-59837

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-59837
		https://github.com/withastro/astro
1e2499e8ea83ebfa233a18a7499e1ccf169e56f4		https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
9ecf3598e2b29dd74614328fde3047ea90e67252		https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
CVE-2025-59837		https://nvd.nist.gov/vuln/detail/CVE-2025-59837
GHSA-qcpr-679q-rhm2		https://github.com/advisories/GHSA-qcpr-679q-rhm2
GHSA-qcpr-679q-rhm2		https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/withastro/astro

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-29T17:42:34Z/ Found at https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-29T17:42:34Z/ Found at https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-29T17:42:34Z/ Found at https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-59837

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.13785
EPSS Score	0.00044
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:03:40.345583+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/59xxx/CVE-2025-59837.json	38.6.0