QwikSec

Security Database

CVE

CWE

Training

CVE-2025-59837

Published: Oct 28, 2025

Modified: Oct 29, 2025

PUBLISHED

CVSS v3.1

7.2

HIGH

Description

Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10.

Vendor	Product	Versions
withastro	astro	affected `>= 5.13.4, < 5.13.10`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2

x_refsource_CONFIRM

https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4

x_refsource_MISC

https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.