What is CVE-2025-59837?

CVE-2025-59837 is a high-severity vulnerability in Withastro Astro, classified under Server-Side Request Forgery (SSRF). CVSS score: 7.2/10. Published 2025-10-28.

How severe is CVE-2025-59837?

High severity. CVSS v3 base score is 7.2 out of 10.

XSS in Withastro Astro

CVE-2025-59837

Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary UR…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (13.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N.

Affected products

Withastro Astro — versions >= 5.13.4, < 5.13.10

Weakness classification (CWE)

References

https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2 (x_refsource_CONFIRM)
https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4 (x_refsource_MISC)
https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-59837?: CVE-2025-59837 is a high-severity vulnerability in Withastro Astro, classified under Server-Side Request Forgery (SSRF). CVSS score: 7.2/10. Published 2025-10-28.
How severe is CVE-2025-59837?: High severity. CVSS v3 base score is 7.2 out of 10.