Description
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7
Patch x_refsource_misc
https://github.com/withastro/astro/pull/12994
Patch x_refsource_misc
https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91
Scores
CVSS v3
2.7
EPSS
0.0003
EPSS Percentile
9.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
astro/astro
5.2.0 - 5.15.6
npm/astro
5.2.0 - 5.15.6npm
Published
Nov 13, 2025
Tracked Since
Feb 18, 2026