CVE-2025-64525
Vulnerability data via CVEDB (Shodan)
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most important of which are: middleware-based protected route bypass (only via `x-forwarded-proto`), DoS via cache poisoning (if a CDN is present), SSRF (only via `x-forwarded-proto`), URL pollution (potential SXSS, if a CDN is present), and WAF bypass. Version 5.15.5 contains a patch.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2025-64525product:"Astro Astro" version:"3.0.0"http.html:"Astro"More intel sources (5)
vuln:CVE-2025-64525vulnerabilities.cve_id: CVE-2025-64525CVE-2025-64525CVE-2025-64525"CVE-2025-64525" exploit -site:nvd.nist.gov