{"id":"CVE-2025-54793","summary":"Astro: Duplicate trailing slash feature can lead to Open Redirects","details":"Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`.","aliases":["GHSA-cq8c-xv66-36gw"],"modified":"2026-04-02T12:53:59.817269Z","published":"2025-08-08T00:02:38.299Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54793.json","cwe_ids":["CWE-601"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54793.json"},{"type":"ADVISORY","url":"https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54793"},{"type":"FIX","url":"https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/withastro/astro","events":[{"introduced":"f6b7839411233c95af529eb0eee098c24e1d9d80"},{"fixed":"0f0a4c44af27c9c73e59a392d3cc1888d0935cc2"}]}],"versions":["@astrojs/alpinejs@0.4.4","@astrojs/alpinejs@0.4.5","@astrojs/alpinejs@0.4.6","@astrojs/alpinejs@0.4.7","@astrojs/alpinejs@0.4.8","@astrojs/cloudflare@12.2.2","@astrojs/cloudflare@12.2.3","@astrojs/cloudflare@12.2.4","@astrojs/cloudflare@12.3.0","@astrojs/cloudflare@12.3.1","@astrojs/cloudflare@12.4.0","@astrojs/cloudflare@12.4.1","@astrojs/cloudflare@12.5.0","@astrojs/cloudflare@12.5.1","@astrojs/cloudflare@12.5.2","@astrojs/cloudflare@12.5.3","@astrojs/cloudflare@12.5.4","@astrojs/cloudflare@12.5.5","@astrojs/cloudflare@12.6.0","@astrojs/cloudflare@12.6.1","@astrojs/db@0.14.10","@astrojs/db@0.14.11","@astrojs/db@0.14.12","@astrojs/db@0.14.13","@astrojs/db@0.14.14","@astrojs/db@0.14.7","@astrojs/db@0.14.8","@astrojs/db@0.14.9","@astrojs/db@0.15.0","@astrojs/db@0.15.1","@astrojs/internal-helpers@0.5.0","@astrojs/internal-helpers@0.5.1","@astrojs/internal-helpers@0.6.0","@astrojs/internal-helpers@0.6.1","@astrojs/internal-helpers@0.7.0","@astrojs/markdoc@0.12.10","@astrojs/markdoc@0.12.11","@astrojs/markdoc@0.12.8","@astrojs/markdoc@0.12.9","@astrojs/markdoc@0.13.0","@astrojs/markdoc@0.13.2","@astrojs/markdoc@0.13.3","@astrojs/markdoc@0.13.4","@astrojs/markdoc@0.14.0","@astrojs/markdoc@0.14.1","@astrojs/markdoc@0.14.2","@astrojs/markdoc@0.15.0","@astrojs/markdoc@0.15.1","@astrojs/markdoc@0.15.2","@astrojs/markdoc@0.15.3","@astrojs/markdown-remark@6.1.0","@astrojs/markdown-remark@6.2.0","@astrojs/markdown-remark@6.2.1","@astrojs/markdown-remark@6.3.0","@astrojs/markdown-remark@6.3.2","@astrojs/markdown-remark@6.3.3","@astrojs/markdown-remark@6.3.4","@astrojs/mdx@4.0.8","@astrojs/mdx@4.1.0","@astrojs/mdx@4.1.1","@astrojs/mdx@4.2.0","@astrojs/mdx@4.2.2","@astrojs/mdx@4.2.3","@astrojs/mdx@4.2.4","@astrojs/mdx@4.2.5","@astrojs/mdx@4.2.6","@astrojs/mdx@4.3.0","@astrojs/mdx@4.3.1","@astrojs/mdx@4.3.2","@astrojs/netlify@6.2.0","@astrojs/netlify@6.2.1","@astrojs/netlify@6.2.2","@astrojs/netlify@6.2.3","@astrojs/netlify@6.2.4","@astrojs/netlify@6.2.5","@astrojs/netlify@6.2.6","@astrojs/netlify@6.3.0","@astrojs/netlify@6.3.1","@astrojs/netlify@6.3.2","@astrojs/netlify@6.3.3","@astrojs/netlify@6.3.4","@astrojs/netlify@6.4.0","@astrojs/netlify@6.4.1","@astrojs/netlify@6.5.0","@astrojs/netlify@6.5.1","@astrojs/netlify@6.5.2","@astrojs/netlify@6.5.3","@astrojs/netlify@6.5.4","@astrojs/node@9.0.3","@astrojs/node@9.1.0","@astrojs/node@9.1.1","@astrojs/node@9.1.2","@astrojs/node@9.1.3","@astrojs/node@9.2.0","@astrojs/node@9.2.1","@astrojs/node@9.2.2","@astrojs/node@9.3.0","@astrojs/node@9.3.1","@astrojs/node@9.3.2","@astrojs/partytown@2.1.4","@astrojs/preact@4.0.10","@astrojs/preact@4.0.11","@astrojs/preact@4.0.4","@astrojs/preact@4.0.5","@astrojs/preact@4.0.6","@astrojs/preact@4.0.7","@astrojs/preact@4.0.8","@astrojs/preact@4.0.9","@astrojs/preact@4.1.0","@astrojs/prism@3.3.0","@astrojs/react@4.2.1","@astrojs/react@4.2.2","@astrojs/react@4.2.3","@astrojs/react@4.2.4","@astrojs/react@4.2.5","@astrojs/react@4.2.6","@astrojs/react@4.2.7","@astrojs/react@4.3.0","@astrojs/rss@4.0.12","@astrojs/sitemap@3.3.1","@astrojs/sitemap@3.4.0","@astrojs/sitemap@3.4.1","@astrojs/sitemap@3.4.2","@astrojs/solid-js@5.0.10","@astrojs/solid-js@5.0.5","@astrojs/solid-js@5.0.6","@astrojs/solid-js@5.0.7","@astrojs/solid-js@5.0.8","@astrojs/solid-js@5.0.9","@astrojs/solid-js@5.1.0","@astrojs/studio@0.1.5","@astrojs/studio@0.1.6","@astrojs/studio@0.1.7","@astrojs/studio@0.1.8","@astrojs/studio@0.1.9","@astrojs/svelte@7.0.10","@astrojs/svelte@7.0.11","@astrojs/svelte@7.0.12","@astrojs/svelte@7.0.13","@astrojs/svelte@7.0.5","@astrojs/svelte@7.0.6","@astrojs/svelte@7.0.7","@astrojs/svelte@7.0.8","@astrojs/svelte@7.0.9","@astrojs/svelte@7.1.0","@astrojs/tailwind@6.0.0","@astrojs/tailwind@6.0.1","@astrojs/tailwind@6.0.2","@astrojs/telemetry@3.2.1","@astrojs/telemetry@3.3.0","@astrojs/underscore-redirects@0.6.1","@astrojs/underscore-redirects@1.0.0","@astrojs/upgrade@0.5.0","@astrojs/upgrade@0.5.1","@astrojs/upgrade@0.5.2","@astrojs/upgrade@0.6.0","@astrojs/upgrade@0.6.1","@astrojs/vercel@8.0.7","@astrojs/vercel@8.0.8","@astrojs/vercel@8.1.0","@astrojs/vercel@8.1.1","@astrojs/vercel@8.1.2","@astrojs/vercel@8.1.3","@astrojs/vercel@8.1.4","@astrojs/vercel@8.1.5","@astrojs/vercel@8.2.0","@astrojs/vercel@8.2.1","@astrojs/vercel@8.2.2","@astrojs/vercel@8.2.3","@astrojs/vercel@8.2.4","@astrojs/vue@5.0.10","@astrojs/vue@5.0.11","@astrojs/vue@5.0.12","@astrojs/vue@5.0.13","@astrojs/vue@5.0.7","@astrojs/vue@5.0.8","@astrojs/vue@5.0.9","@astrojs/vue@5.1.0","@astrojs/web-vitals@3.0.2","@astrojs/web-vitals@4.0.0","astro@5.10.0","astro@5.10.1","astro@5.10.2","astro@5.11.0","astro@5.11.1","astro@5.11.2","astro@5.12.0","astro@5.12.1","astro@5.12.2","astro@5.12.3","astro@5.12.4","astro@5.12.5","astro@5.12.6","astro@5.12.7","astro@5.2.0","astro@5.2.1","astro@5.2.2","astro@5.2.3","astro@5.2.4","astro@5.2.5","astro@5.2.6","astro@5.3.0","astro@5.3.1","astro@5.4.0","astro@5.4.1","astro@5.4.2","astro@5.4.3","astro@5.5.0","astro@5.5.1","astro@5.5.2","astro@5.5.3","astro@5.5.4","astro@5.5.5","astro@5.5.6","astro@5.6.0","astro@5.6.1","astro@5.6.2","astro@5.7.0","astro@5.7.1","astro@5.7.10","astro@5.7.11","astro@5.7.12","astro@5.7.13","astro@5.7.14","astro@5.7.2","astro@5.7.3","astro@5.7.4","astro@5.7.5","astro@5.7.6","astro@5.7.7","astro@5.7.8","astro@5.7.9","astro@5.8.0","astro@5.8.1","astro@5.8.2","astro@5.9.0","astro@5.9.1","astro@5.9.2","astro@5.9.3","astro@5.9.4","create-astro@4.11.1","create-astro@4.11.2","create-astro@4.11.3","create-astro@4.11.4","create-astro@4.12.0","create-astro@4.12.1","create-astro@4.13.0","create-astro@4.13.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54793.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"}]}