CVE-2026-25545: Astro has Full-Read SSRF in error rendering via Host: header injection
Server-Side Rendered pages that return an error with a prerendered custom error page (eg. 404.astro or 500.astro) are vulnerable to SSRF. If the Host: header is changed to an attacker’s server, it will be fetched on /500.html and they can redirect this to any internal URL to read the response body through the first request.
References
- github.com/advisories/GHSA-qq67-mvv5-fw3g
- github.com/withastro/astro
- github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9
- github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4
- github.com/withastro/astro/security/advisories/GHSA-qq67-mvv5-fw3g
- nvd.nist.gov/vuln/detail/CVE-2026-25545
Code Behaviors & Features
Detect and mitigate CVE-2026-25545 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →