Astro (Node.js) – Support, CVEs & Health

GHSA-2pvr-wf23-7pc7 CVSS_V3

Astro: Host header SSRF in prerendered error page fetch

Published: 2026-06-16 Fixed in: 6.4.6

GHSA-49w6-73cw-chjr CVSS_V4

Astro's server source code is exposed to the public if sourcemaps are enabled

Published: 2024-12-19 Fixed in: 5.0.8

GHSA-5ff5-9fcw-vg88 CVSS_V3

Astro's `X-Forwarded-Host` is reflected without validation

Published: 2025-10-10 Fixed in: 5.14.3

GHSA-8hv8-536x-4wqp CVSS_V3

Astro: Reflected XSS via unescaped slot name

Published: 2026-06-16 Fixed in: 6.3.3

GHSA-c4pw-33h3-35xw CVSS_V3

Atro CSRF Middleware Bypass (security.checkOrigin)

Published: 2024-12-18 Fixed in: 4.16.17

GHSA-cq8c-xv66-36gw CVSS_V4

Astros's duplicate trailing slash feature leads to an open redirection security issue

Published: 2025-08-07 Fixed in: 5.12.8

GHSA-fvmw-cj7j-j39q CVSS_V3

Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint

Published: 2025-11-19 Fixed in: 5.15.9

GHSA-g735-7g2w-hh3f CVSS_V3

Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Published: 2026-03-26 Fixed in: 5.18.1

GHSA-ggxq-hp9w-j794 CVSS_V4

Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values

Published: 2025-11-19 Fixed in: 5.15.8

GHSA-hr2q-hp5q-x767 CVSS_V3

Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass

Published: 2025-11-13 Fixed in: 5.15.5

Astro