pkg:npm/astro

17 total CVEsHIGH2MEDIUM10LOW2

✅ Check your installed version

All known vulnerabilities

  • HIGH7.2CVE-2025-59837Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
    >= 5.13.4, < 5.13.10
  • HIGH7.1CVE-2025-64764Astro vulnerable to reflected XSS via the server islands feature
    from 0, < 5.15.8
  • MEDIUM6.5CVE-2025-66202Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765
    from 0, < 5.15.8
  • MEDIUM6.5CVE-2025-64525Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
    >= 2.16.0, < 5.15.5
  • MEDIUM6.5CVE-2025-61925Astro's `X-Forwarded-Host` is reflected without validation
    from 0, < 5.14.3
  • MEDIUM6.1CVE-2026-45028Astro: Server island encrypted parameters vulnerable to cross-component replay
    from 0, < 6.1.10
  • MEDIUM6.1CVE-2026-41067Astro: XSS in define:vars via incomplete </script> tag sanitization
    from 0, < 6.1.6
  • MEDIUM6.1CVE-2025-55303Astro allows unauthorized third-party images in _image endpoint
    >= 5.0.0-alpha.0, < 5.13.2
  • MEDIUM5.9CVE-2024-56140Atro CSRF Middleware Bypass (security.checkOrigin)
    from 0, < 4.16.17
  • MEDIUM5.9CVE-2024-47885DOM Clobbering Gadget found in astro's client-side router that leads to XSS
    >= 3.0.0, < 4.16.1
  • MEDIUM5.4CVE-2025-65019Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
    from 0, < 5.15.9
  • MEDIUM5.3CVE-2026-33769Astro: Remote allowlist bypass via unanchored matchPathname wildcard
    >= 2.10.10, < 5.18.1
  • LOW3.5CVE-2025-64757Astro Development Server has Arbitrary Local File Read
    from 0, < 5.14.3
  • LOW2.7CVE-2025-64745Astro development server error page is vulnerable to reflected Cross-site Scripting
    >= 5.2.0, < 5.15.6
  • CVE-2025-64765Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
    from 0, < 5.15.8
  • CVE-2025-54793Astros's duplicate trailing slash feature leads to an open redirection security issue
    >= 5.2.0, < 5.12.8
  • CVE-2024-56159Astro's server source code is exposed to the public if sourcemaps are enabled
    >= 5.0.0-alpha.0, < 5.0.8