DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25545: Astro-nomical Screw Up: Full-Read SSRF via Host Header Injection

#security #cve #cybersecurity

Astro-nomical Screw Up: Full-Read SSRF via Host Header Injection

Vulnerability ID: CVE-2026-25545
CVSS Score: 6.9
Published: 2026-02-23

Astro, the darling framework of the static site generation world, stumbled into a classic web security pitfall: trusting the client. In versions prior to 9.5.4, Astro's Server-Side Rendering (SSR) engine blindly trusted the HTTP Host header when fetching custom error pages. By poisoning this header, an attacker can trick the server into fetching resources from an external domain. The kicker? The internal fetch mechanism follows redirects by default. This turns a simple error page rendering process into a proxy for accessing internal network resources, local services, or cloud metadata endpoints.

TL;DR

Astro < 9.5.4 allows attackers to poison the Host header. When the server renders a custom error page (like 404.astro), it fetches the page using that poisoned host. Because the fetch follows redirects, attackers can bounce the request to internal IPs (SSRF), leaking sensitive data.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS: 6.9 (Medium)
  • Impact: High Confidentiality (Internal)
  • Exploit Status: PoC Available
  • Prerequisites: SSR Enabled, Custom Error Pages

Affected Systems

  • Astro Web Framework
  • @astrojs/node package (npm)
  • Server-Side Rendering (SSR) deployments
  • Applications with custom error pages (404.astro, 500.astro)
  • @astrojs/node: < 9.5.4 (Fixed in: 9.5.4)

Code Analysis

Commit: e01e98b

Fix: prevent SSRF in error page rendering by disabling automatic redirects

- await fetch(url)
+ await fetch(url, { redirect: 'manual' })
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade Astro packages immediately
  • Implement strict Host header validation at the reverse proxy level
  • Disable automatic redirect following in internal fetch implementations (if manually implemented)
  • Block access to cloud metadata services (IMDS) via network policies

Remediation Steps:

  1. Run npm outdated to check for vulnerable Astro versions.
  2. Update the package: npm install @astrojs/node@latest.
  3. Verify the installed version is >= 9.5.4.
  4. Configure your Nginx/Cloudflare to drop requests with unrecognized Host headers.

References

Read the full report for CVE-2026-25545 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)