SSRF in Withastro Astro

CVE-2026-25545

Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.051 (90.0th percentile) — read the EPSS interpretation.

Affected products

Withastro Astro — versions < 9.5.4

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/withastro/astro/security/advisories/GHSA-qq67-mvv5-fw3g (x_refsource_CONFIRM)
https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9 (x_refsource_MISC)
https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4 (x_refsource_MISC)