Description

Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10.

INFO

Published Date :

2025-10-28T19:54:28.683Z

Last Modified :

2025-10-29T17:42:43.327Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59837 vulnerability.

Vendors Products
Astro
  • Astro
Withastro
  • Astro
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59837.

URL Resource
https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4 cve-icon cve-icon
https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252 cve-icon cve-icon
https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact