Astro Support & Health

GHSA-49w6-73cw-chjr CVSS_V4

Astro's server source code is exposed to the public if sourcemaps are enabled

Published: 2024-12-19 Fixed in: 5.0.8

GHSA-5ff5-9fcw-vg88 CVSS_V3

Astro's `X-Forwarded-Host` is reflected without validation

Published: 2025-10-10 Fixed in: 5.14.3

GHSA-c4pw-33h3-35xw CVSS_V3

Atro CSRF Middleware Bypass (security.checkOrigin)

Published: 2024-12-18 Fixed in: 4.16.17

GHSA-cq8c-xv66-36gw CVSS_V4

Astros's duplicate trailing slash feature leads to an open redirection security issue

Published: 2025-08-07 Fixed in: 5.12.8

GHSA-fvmw-cj7j-j39q CVSS_V3

Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint

Published: 2025-11-19 Fixed in: 5.15.9

GHSA-g735-7g2w-hh3f CVSS_V3

Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Published: 2026-03-26 Fixed in: 5.18.1

GHSA-ggxq-hp9w-j794 CVSS_V4

Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values

Published: 2025-11-19 Fixed in: 5.15.8

GHSA-hr2q-hp5q-x767 CVSS_V3

Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass

Published: 2025-11-13 Fixed in: 5.15.5

GHSA-j687-52p2-xcff CVSS_V3

Astro: XSS in define:vars via incomplete </script> tag sanitization

Published: 2026-04-21 Fixed in: 6.1.6

GHSA-m85w-3h95-hcf9 CVSS_V3

DOM Clobbering Gadget found in astro's client-side router that leads to XSS

Published: 2024-10-14 Fixed in: 4.16.1

Astro