CVE-2025-64745 LOW

CVE-2025-64745: Astro development server error page vulnerable to reflected Cross-site Scripting

Vendor Withastro
Product astro
Weakness CWE-79 · XSS
Published November 13, 2025
Last update November 13, 2025
View on NVD All CVEs

CVSS base score

2.7/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.

Key dates

02Disclosure timeline

November 13, 2025 CVE published
November 13, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-9279 funnyzpc Mee-Admin User Center index cross site scripting CVE-2022-33943 WordPress BxSlider WP plugin <= 2.0.0 - Authenticated Cross-Site Scripting (XSS) vulnerability CVE-2021-1239 Cisco Firepower Management Center Stored Cross-Site Scripting Vulnerabilities CVE-2024-20511 Cisco Unified Communications Manager Cross-Site Scripting Vulnerability CVE-2021-24214 OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error