CVE-2025-64525 — MEDIUM (6.5)

Q: How severe is CVE-2025-64525?

CVE-2025-64525 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-64525?

Check the references section above for vendor advisories and patch information. Affected products include: Astro Astro.

Vulnerability Description

Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Astro	Astro	>= 2.16.0, < 5.15.5

Related Weaknesses (CWE)

CWE-918

References

FAQ

What is CVE-2025-64525?

CVE-2025-64525 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without ...

How severe is CVE-2025-64525?

CVE-2025-64525 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-64525?

Check the references section above for vendor advisories and patch information. Affected products include: Astro Astro.