Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package astro, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (20)
CVE-2026-54299 — CVSS 7.5 (high): Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true)…
CVE-2025-59837 — CVSS 7.2 (high): Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can…
CVE-2025-64764 — CVSS 7.1 (high): Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the…
CVE-2026-50146 — CVSS 7.1 (high): Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content into a…
CVE-2025-64525 — CVSS 6.5 (medium): Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers…
CVE-2025-66202 — CVSS 6.5 (medium): Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass…
CVE-2025-61925 — CVSS 6.5 (medium): Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without…
CVE-2025-55303 — CVSS 6.1 (medium): Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in…
CVE-2026-41067 — CVSS 6.1 (medium): Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive…
CVE-2026-45028 — CVSS 6.1 (medium): Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server…
CVE-2025-54793 — CVSS 6.1 (medium): Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the…
CVE-2024-47885 — CVSS 5.9 (medium): The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can…
CVE-2024-56140 — CVSS 5.9 (medium): Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to…
CVE-2025-65019 — CVSS 5.4 (medium): Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the…
CVE-2026-33769 — CVSS 5.3 (medium): Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for…
CVE-2025-64765 — CVSS 5.3 (medium): Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and…
CVE-2024-56159 — CVSS 5.3 (medium): Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the…
CVE-2026-54298 — CVSS 4.2 (medium): Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys…
CVE-2025-64757 — CVSS 3.5 (low): Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that…
CVE-2025-64745 — CVSS 2.7 (low): Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability…