astro-5.1.3.tgz: 11 vulnerabilities (highest severity is: 6.5) #22
Description
Vulnerable Library - astro-5.1.3.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-5.1.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json,/toolbar-app/package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (astro version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-62522 |  Medium |
6.5 | vite-6.0.11.tgz | Transitive | N/A* | ❌ |
| CVE-2025-61925 | Medium |
6.5 | astro-5.1.3.tgz | Direct | 5.14.3 | ✅ |
| CVE-2025-32395 | Medium |
6.5 | vite-6.0.11.tgz | Transitive | 5.1.4 | ✅ |
| CVE-2025-58752 | Medium |
5.3 | vite-6.0.11.tgz | Transitive | 5.1.4 | ✅ |
| CVE-2025-58751 | Medium |
5.3 | vite-6.0.11.tgz | Transitive | 5.1.4 | ✅ |
| CVE-2025-46565 | Medium |
5.3 | vite-6.0.11.tgz | Transitive | 5.1.4 | ✅ |
| CVE-2025-31486 | Medium |
5.3 | vite-6.0.11.tgz | Transitive | 5.1.4 | ✅ |
| CVE-2025-31125 | Medium |
5.3 | vite-6.0.11.tgz | Transitive | 5.1.4 | ✅ |
| CVE-2025-30208 | Medium |
5.3 | vite-6.0.11.tgz | Transitive | 5.1.4 | ✅ |
| CVE-2025-57820 |  Low |
0.0 | devalue-5.1.1.tgz | Transitive | 5.1.4 | ✅ |
| CVE-2025-55303 | Low |
0.0 | astro-5.1.3.tgz | Direct | N/A | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-62522
Vulnerable Library - vite-6.0.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.0.11.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json,/tutorials/package.json
Dependency Hierarchy:
- astro-5.1.3.tgz (Root Library)
- ❌ vite-6.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. In versions from 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11, files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Only apps explicitly exposing the Vite dev server to the network and running the dev server on Windows were affected. This issue has been patched in versions 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
Publish Date: 2025-10-20
URL: CVE-2025-62522
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
CVE-2025-61925
Vulnerable Library - astro-5.1.3.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-5.1.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json,/toolbar-app/package.json
Dependency Hierarchy:
- ❌ astro-5.1.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in "X-Forwarded-Host" in output when using "Astro.url" without any validation. It is common for web servers such as nginx to route requests via the "Host" header, and forward on other request headers. As such as malicious request can be sent with both a "Host" header and an "X-Forwarded-Host" header where the values do not match and the "X-Forwarded-Host" header is malicious. Astro will then return the malicious value. This could result in any usages of the "Astro.url" value in code being manipulated by a request. For example if a user follows guidance and uses "Astro.url" for a canonical link the canonical link can be manipulated to another site. It is theoretically possible that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party. As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users. Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues. This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy. Version 5.14.2 contains a fix for the issue.
Publish Date: 2025-10-10
URL: CVE-2025-61925
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-5ff5-9fcw-vg88
Release Date: 2025-10-10
Fix Resolution: 5.14.3
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-32395
Vulnerable Library - vite-6.0.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.0.11.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json,/tutorials/package.json
Dependency Hierarchy:
- astro-5.1.3.tgz (Root Library)
- ❌ vite-6.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2. On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) and running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) are affected. This vulnerability is fixed in 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13.
Publish Date: 2025-04-10
URL: CVE-2025-32395
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-356w-63v5-8wf4
Release Date: 2025-04-10
Fix Resolution (vite): 6.0.15
Direct dependency fix Resolution (astro): 5.1.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-58752
Vulnerable Library - vite-6.0.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.0.11.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json,/tutorials/package.json
Dependency Hierarchy:
- astro-5.1.3.tgz (Root Library)
- ❌ vite-6.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use "appType: 'spa'" (default) or "appType: 'mpa'" are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Publish Date: 2025-09-08
URL: CVE-2025-58752
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-08
Fix Resolution (vite): 6.3.6
Direct dependency fix Resolution (astro): 5.1.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-58751
Vulnerable Library - vite-6.0.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.0.11.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json,/tutorials/package.json
Dependency Hierarchy:
- astro-5.1.3.tgz (Root Library)
- ❌ vite-6.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or "server.host" config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Publish Date: 2025-09-08
URL: CVE-2025-58751
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-g4jq-h2w9-997c
Release Date: 2025-09-08
Fix Resolution (vite): 6.3.6
Direct dependency fix Resolution (astro): 5.1.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-46565
Vulnerable Library - vite-6.0.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.0.11.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json,/tutorials/package.json
Dependency Hierarchy:
- astro-5.1.3.tgz (Root Library)
- ❌ vite-6.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. "server.fs.deny" can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under "root" by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
Publish Date: 2025-05-01
URL: CVE-2025-46565
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-859w-5945-r5v3
Release Date: 2025-05-01
Fix Resolution (vite): 6.1.6
Direct dependency fix Resolution (astro): 5.1.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-31486
Vulnerable Library - vite-6.0.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.0.11.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json,/tutorials/package.json
Dependency Hierarchy:
- astro-5.1.3.tgz (Root Library)
- ❌ vite-6.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5.
Publish Date: 2025-04-03
URL: CVE-2025-31486
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-04-03
Fix Resolution (vite): 6.0.14
Direct dependency fix Resolution (astro): 5.1.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-31125
Vulnerable Library - vite-6.0.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.0.11.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json,/tutorials/package.json
Dependency Hierarchy:
- astro-5.1.3.tgz (Root Library)
- ❌ vite-6.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Publish Date: 2025-03-31
URL: CVE-2025-31125
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-31
Fix Resolution (vite): 6.0.13
Direct dependency fix Resolution (astro): 5.1.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-30208
Vulnerable Library - vite-6.0.11.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-6.0.11.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json,/tutorials/package.json
Dependency Hierarchy:
- astro-5.1.3.tgz (Root Library)
- ❌ vite-6.0.11.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. "@fs" denies access to files outside of Vite serving allow list. Adding "?raw??" or "?import&raw??" to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as "?" are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using "--host" or "server.host" config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
Publish Date: 2025-03-24
URL: CVE-2025-30208
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-24
Fix Resolution (vite): 6.0.12
Direct dependency fix Resolution (astro): 5.1.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-57820
Vulnerable Library - devalue-5.1.1.tgz
Gets the job done when JSON.stringify can't
Library home page: https://registry.npmjs.org/devalue/-/devalue-5.1.1.tgz
Path to dependency file: /toolbar-app/package.json
Path to vulnerable library: /toolbar-app/package.json,/tutorials/package.json
Dependency Hierarchy:
- astro-5.1.3.tgz (Root Library)
- ❌ devalue-5.1.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a proto property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-08-26
URL: CVE-2025-57820
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-vj54-72f3-p5jv
Release Date: 2025-08-26
Fix Resolution (devalue): 5.3.2
Direct dependency fix Resolution (astro): 5.1.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-55303
Vulnerable Library - astro-5.1.3.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-5.1.3.tgz
Path to dependency file: /tutorials/package.json
Path to vulnerable library: /tutorials/package.json,/toolbar-app/package.json
Dependency Hierarchy:
- ❌ astro-5.1.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
Publish Date: 2025-08-19
URL: CVE-2025-55303
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
⛑️Automatic Remediation will be attempted for this issue.