CVE-2025-59837
October 28, 2025
Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10.
Affected Packages
https://github.com/withastro/astro.git (GITHUB):
Affected version(s) >=@astrojs/internal-helpers@0.7.0 <@astrojs/internal-helpers@0.7.3Fix Suggestion:
Update to version @astrojs/internal-helpers@0.7.3https://github.com/withastro/astro.git (GITHUB):
Affected version(s) >=astro@5.13.4 <astro@5.13.10Fix Suggestion:
Update to version astro@5.13.10astro (NPM):
Affected version(s) >=5.13.4 <5.13.10Fix Suggestion:
Update to version 5.13.10@astrojs/internal-helpers (NPM):
Affected version(s) >=0.7.0 <0.7.3Fix Suggestion:
Update to version 0.7.3Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
EPSS
Base Score:
0.04
