CVE-2025-61925

creationtimestamp| type| source ---|---|--- 2025-11-13 17:53:59+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3m5jqcg4ohh26...

@antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1), @anyauth/design-system (>=0.5.0 <=0.5.1) +17 more potentially affected by CVE-2025-61925 +1 more via astro (>=5.0.0-beta.5 <=5.15.1)

astro NPM version =5.0.0-beta.5, =1.0.0, =0.5.0, =0.0.1, =0.1.0, =0.0.1, =2.18.7, =0.1.2-alpha.1, =0.0.28, =0.0.28, =1.13.2, =0.1.8, =1.0.21, =0.0.1, =0.0.20 and more Source cves: CVE-2025-61925, CVE-2025-64525 Source advisory: SNYK:JS-ASTRO-13961342...

choco-astro (>=0.3.1 <=0.4.0) potentially affected by CVE-2025-61925 via @astrojs/node (>=9.2.2 <=9.3.0)

@astrojs/node NPM version =9.2.2, =0.3.1, =0.4.0 Source cves: CVE-2025-61925 Source advisory: SNYK:JS-ASTROJSNODE-13535086...

@ampt/astro (=0.0.1-beta.1), @antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1) +376 more potentially affected by CVE-2025-61925 via astro (>=0.20.12 <=5.14.1)

astro NPM version =0.20.12, =1.0.0, =1.0.0, =0.0.17, =0.0.2, =0.0.1, =0.2.0, =0.0.0-experimental-7c2f356, =0.0.0-experimental-7c2f356, =0.0.1, =0.0.1, =0.0.7 and more Source cves: CVE-2025-61925 Source advisory: OSV:GHSA-5FF5-9FCW-VG88...

@antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1), @awesome-myst/myst-awesome (>=0.0.1 <=0.0.7) +10 more potentially affected by CVE-2025-61925 via astro (>=5.0.0-beta.5 <=5.14.1)

astro NPM version =5.0.0-beta.5, =1.0.0, =0.0.1, =0.0.1, =2.18.7, =0.1.2-alpha.1, =1.13.2, =0.1.8, =1.0.21, =0.0.1, =0.0.1, =1.249.8, =1.271.1 Source cves: CVE-2025-61925 Source advisory: SNYK:JS-ASTRO-13535085...

CVE-2025-61925 Astro's `X-Forwarded-Host` is reflected with no validation

Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation. It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious reque...