AIKIDO-2025-10805
astro is vulnerable to Improper Input Validation
60
Medium Risk
This Affects:
astroTL;DR
Affected versions of this package are vulnerable to cache poisoning and host header manipulation due to insufficient validation of X-Forwarded-Host, X-Forwarded-Proto, and X-Forwarded-Port headers. Attackers could inject or manipulate these headers to bypass domain restrictions, influence routing, or poison caches. The fix introduces strict validation logic—including sanitizing hostnames, validating protocols and ports against allowed domains, and rejecting invalid or path-injection style values.
Who does this affect?
You are affected if you are using a vulnerable version of the package.
Background info
astro is vulnerable to Improper Input Validation in versions 1.0.12 - 5.15.4.
How to fix this
Upgrade the astro library to the patch version.
Links
GitHub Release
Other
github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant