cvelistv5 - cve-2025-54793

CVE-2025-54793 (GCVE-0-2025-54793)

Vulnerability from cvelistv5

Published

2025-08-08 00:02

Modified

2025-08-08 16:55

Severity ?

5.5 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Summary

Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`.

References

►

URL

Tags

	security-advisories@github.com	https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f
	security-advisories@github.com	https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw

Impacted products

	Vendor	Product	Version
	withastro	astro	Version: >= 5.2.0, < 5.12.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54793",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-08T16:55:19.482266Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-08T16:55:38.979Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "astro",
          "vendor": "withastro",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.2.0, \u003c 5.12.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-08T00:02:38.299Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw"
        },
        {
          "name": "https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f"
        }
      ],
      "source": {
        "advisory": "GHSA-cq8c-xv66-36gw",
        "discovery": "UNKNOWN"
      },
      "title": "Astro: Duplicate trailing slash feature can lead to Open Redirects"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54793",
    "datePublished": "2025-08-08T00:02:38.299Z",
    "dateReserved": "2025-07-29T16:50:28.394Z",
    "dateUpdated": "2025-08-08T16:55:38.979Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54793\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-08T01:15:24.950\",\"lastModified\":\"2025-08-08T20:30:18.180\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`.\"},{\"lang\":\"es\",\"value\":\"Astro es un framework web para sitios web basados en contenido. En las versiones 5.2.0 a 5.12.7, existe una vulnerabilidad de redirecci\u00f3n abierta en la l\u00f3gica de redirecci\u00f3n de barras diagonales finales al gestionar rutas con barras diagonales dobles. Esto permite a un atacante redirigir a los usuarios a dominios externos arbitrarios mediante la manipulaci\u00f3n de URL como https://mydomain.com//malicious-site.com/. Esto aumenta el riesgo de phishing y otros ataques de ingenier\u00eda social. Afecta a sitios que utilizan renderizado bajo demanda (SSR) con los adaptadores Node o Cloudflare. No afecta a sitios est\u00e1ticos ni a sitios implementados en Netlify o Vercel. Este problema se solucion\u00f3 en la versi\u00f3n 5.12.8. Para solucionar este problema a nivel de red, bloquee las respuestas de redirecci\u00f3n salientes con un valor de encabezado de ubicaci\u00f3n que comience por `//`.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"references\":[{\"url\":\"https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54793\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-08T16:55:19.482266Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-08T16:55:32.544Z\"}}], \"cna\": {\"title\": \"Astro: Duplicate trailing slash feature can lead to Open Redirects\", \"source\": {\"advisory\": \"GHSA-cq8c-xv66-36gw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"withastro\", \"product\": \"astro\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.2.0, \u003c 5.12.8\"}]}], \"references\": [{\"url\": \"https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw\", \"name\": \"https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f\", \"name\": \"https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-08T00:02:38.299Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54793\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-08T16:55:38.979Z\", \"dateReserved\": \"2025-07-29T16:50:28.394Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-08T00:02:38.299Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-54793

Vulnerability from fkie_nvd

Published

2025-08-08 01:15

Modified

2025-08-08 20:30

Severity ?

5.5 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

Summary

References

▶	URL	Tags
	security-advisories@github.com	https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f
	security-advisories@github.com	https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`."
    },
    {
      "lang": "es",
      "value": "Astro es un framework web para sitios web basados en contenido. En las versiones 5.2.0 a 5.12.7, existe una vulnerabilidad de redirecci\u00f3n abierta en la l\u00f3gica de redirecci\u00f3n de barras diagonales finales al gestionar rutas con barras diagonales dobles. Esto permite a un atacante redirigir a los usuarios a dominios externos arbitrarios mediante la manipulaci\u00f3n de URL como https://mydomain.com//malicious-site.com/. Esto aumenta el riesgo de phishing y otros ataques de ingenier\u00eda social. Afecta a sitios que utilizan renderizado bajo demanda (SSR) con los adaptadores Node o Cloudflare. No afecta a sitios est\u00e1ticos ni a sitios implementados en Netlify o Vercel. Este problema se solucion\u00f3 en la versi\u00f3n 5.12.8. Para solucionar este problema a nivel de red, bloquee las respuestas de redirecci\u00f3n salientes con un valor de encabezado de ubicaci\u00f3n que comience por `//`."
    }
  ],
  "id": "CVE-2025-54793",
  "lastModified": "2025-08-08T20:30:18.180",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-08T01:15:24.950",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-cq8c-xv66-36gw

Vulnerability from github

Published

2025-08-07 16:41

Modified

2025-08-08 16:29

Severity ?

5.5 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

Summary

Astros's duplicate trailing slash feature leads to an open redirection security issue

Details

Summary

There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks.

This affects Astro >=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.

Background

Astro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the trailingSlash configuration option. It follows the following rules:

If trailingSlash is set to "never", https://example.com/page/ will redirect to https://example.com/page
If trailingSlash is set to "always", https://example.com/page will redirect to https://example.com/page/

It also collapses multiple trailing slashes, according to the following rules:

If trailingSlash is set to "always" or "ignore" (the default), https://example.com/page// will redirect to https://example.com/page/
If trailingSlash is set to "never", https://example.com/page// will redirect to https://example.com/page

It does this by returning a 301 redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from https://example.com/page to https://example.com/page/, it sending a 301 response with the header Location: /page/. The browser resolves this URL relative to the original page URL and redirects to https://example.com/page/

Details

The vulnerability occurs if the target path starts with //. A request for https://example.com//page will send the header Location: //page/. The browser interprets this as a protocol-relative URL, so instead of redirecting to https://example.com//page/, it will attempt to redirect to https://page/. This is unlikely to resolve, but by crafting a URL in the form https://example.com//target.domain/subpath, it will send the header Location: //target.domain/subpath/, which the browser translates as a redirect to https://target.domain/subpath/. The subpath part is required because otherwise Astro will interpret /target.domain as a file download, which skips trailing slash handling.

This leads to an Open Redirect vulnerability.

The URL needed to trigger the vulnerability varies according to the trailingSlash setting.

If trailingSlash is set to "never", a URL in the form https://example.com//target.domain/subpath/
If trailingSlash is set to "always", a URL in the form https://example.com//target.domain/subpath
For any config value, a URL in the form https://example.com//target.domain/subpath//

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Mitigation

You can test if your site is affected by visiting https://yoursite.com//docs.astro.build/en//. If you are redirected to the Astro docs then your site is affected and must be updated.

Upgrade your site to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a Location header value that starts with //.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "astro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "5.12.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-07T16:41:55Z",
    "nvd_published_at": "2025-08-08T01:15:24Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThere is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as `https://mydomain.com//malicious-site.com/`. This increases the risk of phishing and other social engineering attacks.\n\nThis affects Astro \u003e=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.\n\n## Background\n\nAstro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the [`trailingSlash`](https://docs.astro.build/en/reference/configuration-reference/#trailingslash) configuration option. It follows the following rules:\n\n- If `trailingSlash` is set to `\"never\"`, `https://example.com/page/` will redirect to `https://example.com/page` \n- If `trailingSlash` is set to `\"always\"`, `https://example.com/page` will redirect to `https://example.com/page/`\n\nIt also collapses multiple trailing slashes, according to the following rules:\n\n- If `trailingSlash` is set to `\"always\"` or `\"ignore\"` (the default), `https://example.com/page//` will redirect to `https://example.com/page/`\n- If `trailingSlash` is set to `\"never\"`, `https://example.com/page//` will redirect to `https://example.com/page` \n\nIt does this by returning a `301` redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from `https://example.com/page` to `https://example.com/page/`, it sending a 301 response with the header `Location: /page/`. The browser resolves this URL relative to the original page URL and redirects to `https://example.com/page/`\n\n## Details\n\nThe vulnerability occurs if the target path starts with `//`. A request for `https://example.com//page` will send the header `Location: //page/`. The browser interprets this as a [protocol-relative URL](https://en.wikipedia.org/wiki/URL#Protocol-relative_URLs), so instead of redirecting to `https://example.com//page/`, it will attempt to redirect to `https://page/`. This is unlikely to resolve, but by crafting a URL in the form `https://example.com//target.domain/subpath`, it will send the header `Location: //target.domain/subpath/`, which the browser translates as a redirect to `https://target.domain/subpath/`. The subpath part is required because otherwise Astro will interpret `/target.domain` as a file download, which skips trailing slash handling.\n\nThis leads to an [Open Redirect](https://cwe.mitre.org/data/definitions/601.html) vulnerability.\n\nThe URL needed to trigger the vulnerability varies according to the `trailingSlash` setting.\n\n- If `trailingSlash` is set to `\"never\"`, a URL in the form `https://example.com//target.domain/subpath/`\n- If `trailingSlash` is set to `\"always\"`, a URL in the form `https://example.com//target.domain/subpath`\n- For any config value, a URL in the form `https://example.com//target.domain/subpath//`\n\n## Impact\n\nThis is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.\n\nNo authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.\n\n## Mitigation\n\nYou can test if your site is affected by visiting `https://yoursite.com//docs.astro.build/en//`. If you are redirected to the Astro docs then your site is affected and must be updated.\n\nUpgrade your site to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a `Location` header value that starts with `//`.",
  "id": "GHSA-cq8c-xv66-36gw",
  "modified": "2025-08-08T16:29:05Z",
  "published": "2025-08-07T16:41:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54793"
    },
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/withastro/astro"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Astros\u0027s duplicate trailing slash feature leads to an open redirection security issue"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-54793 (GCVE-0-2025-54793)

Vulnerability from cvelistv5

fkie_cve-2025-54793

Vulnerability from fkie_nvd

ghsa-cq8c-xv66-36gw

Vulnerability from github

Summary

Background

Details

Impact

Mitigation

Tags

Sightings

Nomenclature