Home / Vulnerability Intelligence / CVE-2026-25545

CVE-2026-25545 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: February 25, 2026

Astro - Server-Side Request Forgery

Published: February 24, 2026Updated: February 25, 2026PoC AvailableRemote Exploitable

Overview

Astro < 9.5.4 contains a server-side request forgery caused by improper Host header validation in prerendered custom error pages, letting attackers fetch internal URLs and read responses, exploit requires direct server access without proxy.

Severity & Score

Severity: High

CVSS Score: 8.6

Impact

Attackers can read internal network resources and cloud metadata by redirecting requests, potentially exposing sensitive internal data.

Mitigation

Upgrade to version 9.5.4 or later.

References

https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9
https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4
https://github.com/withastro/astro/security/advisories/GHSA-qq67-mvv5-fw3g

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-25545
Severity: High
CVSS Score: 8.6
Type: server_side_request_forgery
Status: confirmed

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N