{"id":"CVE-2025-64745","summary":"Astro development server error page vulnerable to reflected Cross-site Scripting","details":"Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links. Version 5.15.6 fixes the issue.","aliases":["GHSA-w2vj-39qv-7vh7"],"modified":"2026-04-02T13:00:01.714059Z","published":"2025-11-13T20:26:13.261Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64745.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-79"]},"references":[{"type":"WEB","url":"https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64745.json"},{"type":"ADVISORY","url":"https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64745"},{"type":"FIX","url":"https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91"},{"type":"FIX","url":"https://github.com/withastro/astro/pull/12994"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/withastro/astro","events":[{"introduced":"f6b7839411233c95af529eb0eee098c24e1d9d80"},{"fixed":"190106149908ef6826899459146ef9f0ead602ab"}]}],"versions":["@astrojs/alpinejs@0.4.4","@astrojs/alpinejs@0.4.5","@astrojs/alpinejs@0.4.6","@astrojs/alpinejs@0.4.7","@astrojs/alpinejs@0.4.8","@astrojs/alpinejs@0.4.9","@astrojs/cloudflare@12.2.2","@astrojs/cloudflare@12.2.3","@astrojs/cloudflare@12.2.4","@astrojs/cloudflare@12.3.0","@astrojs/cloudflare@12.3.1","@astrojs/cloudflare@12.4.0","@astrojs/cloudflare@12.4.1","@astrojs/cloudflare@12.5.0","@astrojs/cloudflare@12.5.1","@astrojs/cloudflare@12.5.2","@astrojs/cloudflare@12.5.3","@astrojs/cloudflare@12.5.4","@astrojs/cloudflare@12.5.5","@astrojs/cloudflare@12.6.0","@astrojs/cloudflare@12.6.1","@astrojs/cloudflare@12.6.10","@astrojs/cloudflare@12.6.2","@astrojs/cloudflare@12.6.3","@astrojs/cloudflare@12.6.4","@astrojs/cloudflare@12.6.5","@astrojs/cloudflare@12.6.6","@astrojs/cloudflare@12.6.7","@astrojs/cloudflare@12.6.8","@astrojs/cloudflare@12.6.9","@astrojs/db@0.14.10","@astrojs/db@0.14.11","@astrojs/db@0.14.12","@astrojs/db@0.14.13","@astrojs/db@0.14.14","@astrojs/db@0.14.7","@astrojs/db@0.14.8","@astrojs/db@0.14.9","@astrojs/db@0.15.0","@astrojs/db@0.15.1","@astrojs/db@0.16.0","@astrojs/db@0.16.1","@astrojs/db@0.17.0","@astrojs/db@0.17.1","@astrojs/db@0.17.2","@astrojs/db@0.18.0","@astrojs/db@0.18.1","@astrojs/db@0.18.2","@astrojs/internal-helpers@0.5.0","@astrojs/internal-helpers@0.5.1","@astrojs/internal-helpers@0.6.0","@astrojs/internal-helpers@0.6.1","@astrojs/internal-helpers@0.7.0","@astrojs/internal-helpers@0.7.1","@astrojs/internal-helpers@0.7.2","@astrojs/internal-helpers@0.7.3","@astrojs/internal-helpers@0.7.4","@astrojs/language-server@2.16.0","@astrojs/markdoc@0.12.10","@astrojs/markdoc@0.12.11","@astrojs/markdoc@0.12.8","@astrojs/markdoc@0.12.9","@astrojs/markdoc@0.13.0","@astrojs/markdoc@0.13.2","@astrojs/markdoc@0.13.3","@astrojs/markdoc@0.13.4","@astrojs/markdoc@0.14.0","@astrojs/markdoc@0.14.1","@astrojs/markdoc@0.14.2","@astrojs/markdoc@0.15.0","@astrojs/markdoc@0.15.1","@astrojs/markdoc@0.15.2","@astrojs/markdoc@0.15.3","@astrojs/markdoc@0.15.4","@astrojs/markdoc@0.15.5","@astrojs/markdoc@0.15.6","@astrojs/markdoc@0.15.7","@astrojs/markdoc@0.15.8","@astrojs/markdown-remark@6.1.0","@astrojs/markdown-remark@6.2.0","@astrojs/markdown-remark@6.2.1","@astrojs/markdown-remark@6.3.0","@astrojs/markdown-remark@6.3.2","@astrojs/markdown-remark@6.3.3","@astrojs/markdown-remark@6.3.4","@astrojs/markdown-remark@6.3.5","@astrojs/markdown-remark@6.3.6","@astrojs/markdown-remark@6.3.7","@astrojs/markdown-remark@6.3.8","@astrojs/mdx@4.0.8","@astrojs/mdx@4.1.0","@astrojs/mdx@4.1.1","@astrojs/mdx@4.2.0","@astrojs/mdx@4.2.2","@astrojs/mdx@4.2.3","@astrojs/mdx@4.2.4","@astrojs/mdx@4.2.5","@astrojs/mdx@4.2.6","@astrojs/mdx@4.3.0","@astrojs/mdx@4.3.1","@astrojs/mdx@4.3.10","@astrojs/mdx@4.3.2","@astrojs/mdx@4.3.3","@astrojs/mdx@4.3.4","@astrojs/mdx@4.3.5","@astrojs/mdx@4.3.6","@astrojs/mdx@4.3.7","@astrojs/mdx@4.3.9","@astrojs/netlify@6.2.0","@astrojs/netlify@6.2.1","@astrojs/netlify@6.2.2","@astrojs/netlify@6.2.3","@astrojs/netlify@6.2.4","@astrojs/netlify@6.2.5","@astrojs/netlify@6.2.6","@astrojs/netlify@6.3.0","@astrojs/netlify@6.3.1","@astrojs/netlify@6.3.2","@astrojs/netlify@6.3.3","@astrojs/netlify@6.3.4","@astrojs/netlify@6.4.0","@astrojs/netlify@6.4.1","@astrojs/netlify@6.5.0","@astrojs/netlify@6.5.1","@astrojs/netlify@6.5.10","@astrojs/netlify@6.5.11","@astrojs/netlify@6.5.12","@astrojs/netlify@6.5.13","@astrojs/netlify@6.5.2","@astrojs/netlify@6.5.3","@astrojs/netlify@6.5.4","@astrojs/netlify@6.5.5","@astrojs/netlify@6.5.6","@astrojs/netlify@6.5.7","@astrojs/netlify@6.5.8","@astrojs/netlify@6.5.9","@astrojs/netlify@6.6.0","@astrojs/node@9.0.3","@astrojs/node@9.1.0","@astrojs/node@9.1.1","@astrojs/node@9.1.2","@astrojs/node@9.1.3","@astrojs/node@9.2.0","@astrojs/node@9.2.1","@astrojs/node@9.2.2","@astrojs/node@9.3.0","@astrojs/node@9.3.1","@astrojs/node@9.3.2","@astrojs/node@9.3.3","@astrojs/node@9.4.0","@astrojs/node@9.4.1","@astrojs/node@9.4.2","@astrojs/node@9.4.3","@astrojs/node@9.4.4","@astrojs/node@9.4.5","@astrojs/node@9.4.6","@astrojs/node@9.5.0","@astrojs/partytown@2.1.4","@astrojs/preact@4.0.10","@astrojs/preact@4.0.11","@astrojs/preact@4.0.4","@astrojs/preact@4.0.5","@astrojs/preact@4.0.6","@astrojs/preact@4.0.7","@astrojs/preact@4.0.8","@astrojs/preact@4.0.9","@astrojs/preact@4.1.0","@astrojs/preact@4.1.1","@astrojs/preact@4.1.2","@astrojs/preact@4.1.3","@astrojs/prism@3.3.0","@astrojs/react@4.2.1","@astrojs/react@4.2.2","@astrojs/react@4.2.3","@astrojs/react@4.2.4","@astrojs/react@4.2.5","@astrojs/react@4.2.6","@astrojs/react@4.2.7","@astrojs/react@4.3.0","@astrojs/react@4.3.1","@astrojs/react@4.4.0","@astrojs/react@4.4.1","@astrojs/react@4.4.2","@astrojs/rss@4.0.12","@astrojs/rss@4.0.13","@astrojs/sitemap@3.3.1","@astrojs/sitemap@3.4.0","@astrojs/sitemap@3.4.1","@astrojs/sitemap@3.4.2","@astrojs/sitemap@3.5.0","@astrojs/sitemap@3.5.1","@astrojs/sitemap@3.6.0","@astrojs/solid-js@5.0.10","@astrojs/solid-js@5.0.5","@astrojs/solid-js@5.0.6","@astrojs/solid-js@5.0.7","@astrojs/solid-js@5.0.8","@astrojs/solid-js@5.0.9","@astrojs/solid-js@5.1.0","@astrojs/solid-js@5.1.1","@astrojs/solid-js@5.1.2","@astrojs/solid-js@5.1.3","@astrojs/studio@0.1.5","@astrojs/studio@0.1.6","@astrojs/studio@0.1.7","@astrojs/studio@0.1.8","@astrojs/studio@0.1.9","@astrojs/svelte@7.0.10","@astrojs/svelte@7.0.11","@astrojs/svelte@7.0.12","@astrojs/svelte@7.0.13","@astrojs/svelte@7.0.5","@astrojs/svelte@7.0.6","@astrojs/svelte@7.0.7","@astrojs/svelte@7.0.8","@astrojs/svelte@7.0.9","@astrojs/svelte@7.1.0","@astrojs/svelte@7.1.1","@astrojs/svelte@7.2.0","@astrojs/svelte@7.2.1","@astrojs/svelte@7.2.2","@astrojs/tailwind@6.0.0","@astrojs/tailwind@6.0.1","@astrojs/tailwind@6.0.2","@astrojs/telemetry@3.2.1","@astrojs/telemetry@3.3.0","@astrojs/underscore-redirects@0.6.1","@astrojs/underscore-redirects@1.0.0","@astrojs/upgrade@0.5.0","@astrojs/upgrade@0.5.1","@astrojs/upgrade@0.5.2","@astrojs/upgrade@0.6.0","@astrojs/upgrade@0.6.1","@astrojs/upgrade@0.6.2","@astrojs/vercel@8.0.7","@astrojs/vercel@8.0.8","@astrojs/vercel@8.1.0","@astrojs/vercel@8.1.1","@astrojs/vercel@8.1.2","@astrojs/vercel@8.1.3","@astrojs/vercel@8.1.4","@astrojs/vercel@8.1.5","@astrojs/vercel@8.2.0","@astrojs/vercel@8.2.1","@astrojs/vercel@8.2.10","@astrojs/vercel@8.2.11","@astrojs/vercel@8.2.2","@astrojs/vercel@8.2.3","@astrojs/vercel@8.2.4","@astrojs/vercel@8.2.5","@astrojs/vercel@8.2.6","@astrojs/vercel@8.2.7","@astrojs/vercel@8.2.8","@astrojs/vercel@8.2.9","@astrojs/vue@5.0.10","@astrojs/vue@5.0.11","@astrojs/vue@5.0.12","@astrojs/vue@5.0.13","@astrojs/vue@5.0.7","@astrojs/vue@5.0.8","@astrojs/vue@5.0.9","@astrojs/vue@5.1.0","@astrojs/vue@5.1.1","@astrojs/vue@5.1.2","@astrojs/vue@5.1.3","@astrojs/web-vitals@3.0.2","@astrojs/web-vitals@4.0.0","astro-vscode@2.16.0","astro@5.10.0","astro@5.10.1","astro@5.10.2","astro@5.11.0","astro@5.11.1","astro@5.11.2","astro@5.12.0","astro@5.12.1","astro@5.12.2","astro@5.12.3","astro@5.12.4","astro@5.12.5","astro@5.12.6","astro@5.12.7","astro@5.12.8","astro@5.12.9","astro@5.13.0","astro@5.13.1","astro@5.13.10","astro@5.13.11","astro@5.13.2","astro@5.13.3","astro@5.13.4","astro@5.13.5","astro@5.13.6","astro@5.13.7","astro@5.13.8","astro@5.13.9","astro@5.14.0","astro@5.14.1","astro@5.14.3","astro@5.14.4","astro@5.14.5","astro@5.14.6","astro@5.14.7","astro@5.14.8","astro@5.15.0","astro@5.15.1","astro@5.15.2","astro@5.15.3","astro@5.15.4","astro@5.15.5","astro@5.2.0","astro@5.2.1","astro@5.2.2","astro@5.2.3","astro@5.2.4","astro@5.2.5","astro@5.2.6","astro@5.3.0","astro@5.3.1","astro@5.4.0","astro@5.4.1","astro@5.4.2","astro@5.4.3","astro@5.5.0","astro@5.5.1","astro@5.5.2","astro@5.5.3","astro@5.5.4","astro@5.5.5","astro@5.5.6","astro@5.6.0","astro@5.6.1","astro@5.6.2","astro@5.7.0","astro@5.7.1","astro@5.7.10","astro@5.7.11","astro@5.7.12","astro@5.7.13","astro@5.7.14","astro@5.7.2","astro@5.7.3","astro@5.7.4","astro@5.7.5","astro@5.7.6","astro@5.7.7","astro@5.7.8","astro@5.7.9","astro@5.8.0","astro@5.8.1","astro@5.8.2","astro@5.9.0","astro@5.9.1","astro@5.9.2","astro@5.9.3","astro@5.9.4","create-astro@4.11.1","create-astro@4.11.2","create-astro@4.11.3","create-astro@4.11.4","create-astro@4.12.0","create-astro@4.12.1","create-astro@4.13.0","create-astro@4.13.1","create-astro@4.13.2","create-astro@5.0.0-alpha.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64745.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"}]}