HIGH7.2CVE-2025-59837Astro's bypass of image proxy domain validation leads to SSRF and potential XSS >= 5.13.4, < 5.13.10
HIGH7.1CVE-2025-64764Astro vulnerable to reflected XSS via the server islands feature from 0, < 5.15.8
MEDIUM6.5CVE-2025-66202Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 from 0, < 5.15.8
MEDIUM6.5Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
>= 2.16.0, < 5.15.5
MEDIUM6.5Astro's `X-Forwarded-Host` is reflected without validation
from 0, < 5.14.3
MEDIUM6.1Astro: Server island encrypted parameters vulnerable to cross-component replay
from 0, < 6.1.10
MEDIUM6.1Astro: XSS in define:vars via incomplete </script> tag sanitization
from 0, < 6.1.6
MEDIUM6.1Astro allows unauthorized third-party images in _image endpoint
>= 5.0.0-alpha.0, < 5.13.2
MEDIUM5.9Atro CSRF Middleware Bypass (security.checkOrigin)
from 0, < 4.16.17
MEDIUM5.9DOM Clobbering Gadget found in astro's client-side router that leads to XSS
>= 3.0.0, < 4.16.1
MEDIUM5.4Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
from 0, < 5.15.9
MEDIUM5.3Astro: Remote allowlist bypass via unanchored matchPathname wildcard
>= 2.10.10, < 5.18.1
LOW3.5Astro Development Server has Arbitrary Local File Read
from 0, < 5.14.3
LOW2.7Astro development server error page is vulnerable to reflected Cross-site Scripting
>= 5.2.0, < 5.15.6
—Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
from 0, < 5.15.8
—Astros's duplicate trailing slash feature leads to an open redirection security issue
>= 5.2.0, < 5.12.8
—Astro's server source code is exposed to the public if sourcemaps are enabled
>= 5.0.0-alpha.0, < 5.0.8