Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-64745

Good to know:

icon
icon

Date: November 13, 2025

Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the "trailingSlash" configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.

Severity Score

Related Resources (7)

https://nvd.nist.gov/vuln/detail/CVE-2025-64745
https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91
https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7
https://github.com/withastro/astro
https://github.com/withastro/astro/pull/12994
https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149
https://www.mend.io/vulnerability-database/CVE-2025-64745

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version astro - 5.15.6;https://github.com/withastro/astro.git - astro@5.15.6

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us