CVE-2025-64525
MEDIUM NUCLEIAstro 2.16.0-5.15.4 - Server-Side Request Forgery via x-forwarded-proto Header
Title source: llmExploitation Summary
CVE-2025-64525 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
Nuclei Templates (1)
Astro - Broken Access Control
MEDIUMVERIFIEDby zhero___,DhiyaneshDK
Shodan:
html:"_astro"
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767
Patch x_refsource_misc
https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4
Scores
CVSS v3
6.5
EPSS
0.0132
EPSS Percentile
80.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
astro/astro
2.16.0 - 5.15.5
npm/astro
2.16.0 - 5.15.5npm
Published
Nov 13, 2025
Tracked Since
Feb 18, 2026