VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-swqw-zstu-37b8

Essentials
Severities (18)
References (7)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-swqw-zstu-37b8
Aliases	CVE-2025-59837 GHSA-qcpr-679q-rhm2
Summary	Astro's bypass of image proxy domain validation leads to SSRF and potential XSS This is a patch bypass of CVE-2025-58179 in commit [9ecf359](https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252). The fix blocks `http://`, `https://` and `//`, but can be bypassed using backslashes (`\`) - the endpoint still issues a server-side fetch.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-918	Server-Side Request Forgery (SSRF)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2025-59837
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2025-59837
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2025-59837
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-qcpr-679q-rhm2
cvssv3.1	7.2	https://github.com/withastro/astro
generic_textual	HIGH	https://github.com/withastro/astro
cvssv3.1	7.2	https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
generic_textual	HIGH	https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
ssvc	Track	https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
cvssv3.1	7.2	https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
generic_textual	HIGH	https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
ssvc	Track	https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
cvssv3.1	7.2	https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
cvssv3.1_qr	HIGH	https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
generic_textual	HIGH	https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
ssvc	Track	https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
cvssv3.1	7.2	https://nvd.nist.gov/vuln/detail/CVE-2025-59837
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-59837

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-59837
		https://github.com/withastro/astro
		https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
		https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
CVE-2025-59837		https://nvd.nist.gov/vuln/detail/CVE-2025-59837
GHSA-qcpr-679q-rhm2		https://github.com/advisories/GHSA-qcpr-679q-rhm2
GHSA-qcpr-679q-rhm2		https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/withastro/astro

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-29T17:42:34Z/ Found at https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-29T17:42:34Z/ Found at https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-29T17:42:34Z/ Found at https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-59837

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.13796
EPSS Score	0.00044
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:48:17.505570+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/astro/CVE-2025-59837.yml	38.6.0