Publish Advisories

GHSA-cq8c-xv66-36gw
GHSA-xf8x-j4p2-f749

Author: advisory-database[bot]

advisories/github-reviewed/2025/08/GHSA-cq8c-xv66-36gw/GHSA-cq8c-xv66-36gw.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cq8c-xv66-36gw",
-  "modified": "2025-08-08T16:29:05Z",
+  "modified": "2025-11-27T08:06:51Z",
   "published": "2025-08-07T16:41:55Z",
   "aliases": [
     "CVE-2025-54793"
   ],
   "summary": "Astros's duplicate trailing slash feature leads to an open redirection security issue",
-  "details": "## Summary\n\nThere is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as `https://mydomain.com//malicious-site.com/`. This increases the risk of phishing and other social engineering attacks.\n\nThis affects Astro >=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.\n\n## Background\n\nAstro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the [`trailingSlash`](https://docs.astro.build/en/reference/configuration-reference/#trailingslash) configuration option. It follows the following rules:\n\n- If `trailingSlash` is set to `\"never\"`, `https://example.com/page/` will redirect to `https://example.com/page` \n- If `trailingSlash` is set to `\"always\"`, `https://example.com/page` will redirect to `https://example.com/page/`\n\nIt also collapses multiple trailing slashes, according to the following rules:\n\n- If `trailingSlash` is set to `\"always\"` or `\"ignore\"` (the default), `https://example.com/page//` will redirect to `https://example.com/page/`\n- If `trailingSlash` is set to `\"never\"`, `https://example.com/page//` will redirect to `https://example.com/page` \n\nIt does this by returning a `301` redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from `https://example.com/page` to `https://example.com/page/`, it sending a 301 response with the header `Location: /page/`. The browser resolves this URL relative to the original page URL and redirects to `https://example.com/page/`\n\n## Details\n\nThe vulnerability occurs if the target path starts with `//`. A request for `https://example.com//page` will send the header `Location: //page/`. The browser interprets this as a [protocol-relative URL](https://en.wikipedia.org/wiki/URL#Protocol-relative_URLs), so instead of redirecting to `https://example.com//page/`, it will attempt to redirect to `https://page/`. This is unlikely to resolve, but by crafting a URL in the form `https://example.com//target.domain/subpath`, it will send the header `Location: //target.domain/subpath/`, which the browser translates as a redirect to `https://target.domain/subpath/`. The subpath part is required because otherwise Astro will interpret `/target.domain` as a file download, which skips trailing slash handling.\n\nThis leads to an [Open Redirect](https://cwe.mitre.org/data/definitions/601.html) vulnerability.\n\nThe URL needed to trigger the vulnerability varies according to the `trailingSlash` setting.\n\n- If `trailingSlash` is set to `\"never\"`, a URL in the form `https://example.com//target.domain/subpath/`\n- If `trailingSlash` is set to `\"always\"`, a URL in the form `https://example.com//target.domain/subpath`\n- For any config value, a URL in the form `https://example.com//target.domain/subpath//`\n\n## Impact\n\nThis is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.\n\nNo authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.\n\n## Mitigation\n\nYou can test if your site is affected by visiting `https://yoursite.com//docs.astro.build/en//`. If you are redirected to the Astro docs then your site is affected and must be updated.\n\nUpgrade your site to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a `Location` header value that starts with `//`.",
+  "details": "## Summary\n\nThere is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as `https://mydomain.com//malicious-site.com/`. This increases the risk of phishing and other social engineering attacks.\n\nThis affects Astro >=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.\n\n## Background\n\nAstro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the [`trailingSlash`](https://docs.astro.build/en/reference/configuration-reference/#trailingslash) configuration option. It follows the following rules:\n\n- If `trailingSlash` is set to `\"never\"`, `https://example.com/page/` will redirect to `https://example.com/page` \n- If `trailingSlash` is set to `\"always\"`, `https://example.com/page` will redirect to `https://example.com/page/`\n\nIt also collapses multiple trailing slashes, according to the following rules:\n\n- If `trailingSlash` is set to `\"always\"` or `\"ignore\"` (the default), `https://example.com/page//` will redirect to `https://example.com/page/`\n- If `trailingSlash` is set to `\"never\"`, `https://example.com/page//` will redirect to `https://example.com/page` \n\nIt does this by returning a `301` redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from `https://example.com/page` to `https://example.com/page/`, it sending a 301 response with the header `Location: /page/`. The browser resolves this URL relative to the original page URL and redirects to `https://example.com/page/`\n\n## Details\n\nThe vulnerability occurs if the target path starts with `//`. A request for `https://example.com//page` will send the header `Location: //page/`. The browser interprets this as a [protocol-relative URL](https://en.wikipedia.org/wiki/URL#Protocol-relative_URLs), so instead of redirecting to `https://example.com//page/`, it will attempt to redirect to `https://page/`. This is unlikely to resolve, but by crafting a URL in the form `https://example.com//target.domain/subpath`, it will send the header `Location: //target.domain/subpath/`, which the browser translates as a redirect to `https://target.domain/subpath/`. The subpath part is required because otherwise Astro will interpret `/target.domain` as a file download, which skips trailing slash handling.\n\nThis leads to an [Open Redirect](https://cwe.mitre.org/data/definitions/601.html) vulnerability.\n\nThe URL needed to trigger the vulnerability varies according to the `trailingSlash` setting.\n\n- If `trailingSlash` is set to `\"never\"`, a URL in the form `https://example.com//target.domain/subpath/`\n- If `trailingSlash` is set to `\"always\"`, a URL in the form `https://example.com//target.domain/subpath`\n- For any config value, a URL in the form `https://example.com//target.domain/subpath//`\n\n## Impact\n\nThis is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.\n\nNo authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.\n\n## Mitigation\n\nUsrs can test if your site is affected by visiting `https://yoursite.com//docs.astro.build/en//`. If a user is redirected to the Astro docs then their site is affected and must be updated.\n\nUpgrade  to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a `Location` header value that starts with `//`.",
   "severity": [
     {
       "type": "CVSS_V4",

advisories/github-reviewed/2025/08/GHSA-xf8x-j4p2-f749/GHSA-xf8x-j4p2-f749.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xf8x-j4p2-f749",
-  "modified": "2025-08-19T21:41:46Z",
+  "modified": "2025-11-27T08:07:30Z",
   "published": "2025-08-19T15:40:31Z",
   "aliases": [
     "CVE-2025-55303"
   ],
   "summary": "Astro allows unauthorized third-party images in _image endpoint",
   "details": "### Summary\n\nIn affected versions of `astro`, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.\n\n### Details\n\nOn-demand rendered sites built with Astro include an `/_image` endpoint which returns optimized versions of images.\n\nThe `/_image` endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the [`image.domains`](https://docs.astro.build/en/reference/configuration-reference/#imagedomains) or [`image.remotePatterns`](https://docs.astro.build/en/reference/configuration-reference/#imageremotepatterns) options).\n\nHowever, a bug in impacted versions of `astro` allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. `/_image?href=//example.com/image.png`.\n\n### Proof of Concept\n\n1. Create a new minimal Astro project (`[email protected]`).\n\n2. Configure it to use the Node adapter (`@astrojs/[email protected]` — newer versions are not impacted):\n\n   ```js\n   // astro.config.mjs\n   import { defineConfig } from 'astro/config';\n   import node from '@astrojs/node';\n\n   export default defineConfig({\n   \tadapter: node({ mode: 'standalone' }),\n   });\n   ```\n\n3. Build the site by running `astro build`.\n\n4. Run the server, e.g. with `astro preview`.\n\n5. Append `/_image?href=//placehold.co/600x400` to the preview URL, e.g. <http://localhost:4321/_image?href=//placehold.co/600x400>\n\n6. The site will serve the image from the unauthorized `placehold.co` origin.\n\n### Impact\n\nAllows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.\nIn the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"
@@ -32,10 +36,7 @@
             }
           ]
         }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 5.13.0"
-      }
+      ]
     },
     {
       "package": {