Withastro Astro
25 CVEs affecting Withastro Astro. Latest disclosed: 2026-05-13. Critical: 0, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-59837 | High | 7.2 | 2025-10-28 | Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using… |
CVE-2025-58179 | High | 7.2 | 2025-09-04 | Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configu… |
CVE-2025-64764 | High | 7.1 | 2025-11-19 | Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application… |
CVE-2026-33768 | Medium | 6.5 | 2026-03-24 | Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to… |
CVE-2026-27829 | Medium | 6.5 | 2026-02-26 | Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictio… |
CVE-2025-66202 | Medium | 6.5 | 2025-12-08 | Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentica… |
CVE-2025-64525 | Medium | 6.5 | 2025-11-13 | Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forw… |
CVE-2025-61925 | Medium | 6.5 | 2025-10-10 | Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It i… |
CVE-2026-45028 | Medium | 6.1 | 2026-05-13 | Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots… |
CVE-2026-41067 | Medium | 6.1 | 2026-04-24 | Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to… |
CVE-2026-29772 | Medium | 5.9 | 2026-03-24 | Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a siz… |
CVE-2026-27729 | Medium | 5.9 | 2026-02-24 | Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion Do… |
CVE-2024-56140 | Medium | 5.9 | 2024-12-18 | Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. W… |
CVE-2024-47885 | Medium | 5.9 | 2024-10-14 | The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site… |
CVE-2025-65019 | Medium | 5.4 | 2025-11-19 | Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization en… |
CVE-2026-41322 | Medium | 5.3 | 2026-04-24 | @astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/ma… |
CVE-2025-64757 | Low | 3.5 | 2025-11-19 | Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local… |
CVE-2025-64745 | Low | 2.7 | 2025-11-13 | Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's develop… |
CVE-2026-33769 | | 2026-03-24 | Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by se… | |
CVE-2026-25545 | | 2026-02-24 | Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500… |