CVE-2025-64745

2.7 LOW
Published: November 13, 2025 Modified: November 25, 2025
View on NVD

Description

Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149
Source: security-advisories@github.com
Product
https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91
Source: security-advisories@github.com
Patch
https://github.com/withastro/astro/pull/12994
Source: security-advisories@github.com
Patch
https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7
Source: security-advisories@github.com
Exploit Third Party Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
2.7 / 10.0
EPSS (Exploit Probability)
0.0%
12th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

astro

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3