CVE-2025-64745
Last modified
CVE-2025-64745 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. EPSS estimates a 0.21% chance of exploitation in the next 30 days.
Description
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Astro | Astro | >= 5.2.0, < 5.15.6 |
References
- https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-64745?
How severe is CVE-2025-64745?
How do I fix CVE-2025-64745?
Are you affected by CVE-2025-64745?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST