You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In impacted versions of Astro using on-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences, as we will see below, the most important of which are:
Middleware-based protected route bypass (only via x-forwarded-proto)
DoS via cache poisoning (if a CDN is present)
SSRF (only via x-forwarded-proto)
URL pollution (potential SXSS, if a CDN is present)
WAF bypass
Details
The x-forwarded-proto and x-forwarded-port headers are used without sanitization in two parts of the Astro server code. The most important is in the createRequest() function. Any configuration, including the default one, is affected:
These header values are then used directly to construct URLs.
By injecting a payload at the protocol level during URL creation (via the x-forwarded-proto header), we can rewrite the entire URL, including the host, port and path, and then pass the rest of the URL, the real hostname and path, as a query so that it doesn't affect (re)routing.
If we inject the following header value when requesting the path /ssr:
The complete URL that will be created is: https://www.malicious-url.com/?tank=://localhost/ssr
As a reminder, URLs are created like this:
url = new URL(`${protocol}://${hostnamePort}${req.url}`);
Our value is injected at the beginning of the string (${protocol}), and ends with a query ?tank= whose value is the rest of the string, ://${hostnamePort}${req.url}.
This way we have control over the routing without affecting the path, and can manipulate the URL arbitrarily. This behavior can be exploited in various ways, as we will see in the PoC section.
The same logic applies to x-forwarded-port, with a few differences.
Note
The createRequest function is called every time a non-static page is requested. Therefore, all non-static pages are exploitable for reproducing the attack.
PoC
For our PoC, we will use a minimal repository:
Latest Astro version at the time (2.16.0)
The Node adapter
Two simple pages, one SSR (/ssr), the other simulating an admin page (/admin) protected by a middleware
A middleware example copied and pasted from the official Astro documentation to protect the admin page based on the path
Here, with the payload x:admin?, we use the URL API parser to our advantage:
x: is considered the protocol
Since there is no //, the parser considers there to be no authority, and everything before the ? character is therefore considered part of the path: admin
During a path-based middleware check, the path value begins with a /: context.url.pathname === "/admin". However, this is not the case with our payload; context.url.pathname === "admin", the absence of a slash satisfies both the middleware check and the router and consequently allows us to bypass the protection and access the page.
SSRF
As we have seen, the request URL is built from untrusted input via the x-forwarded-protocol header, if it turns out that this URL is subsequently used to perform external network calls, for an API for example, this allows an attacker to supply a malicious URL that the server will fetch, resulting in server-side request forgery (SSRF).
Example of code reusing the "origin" URL, concatenating it to the API endpoint :
DoS via cache poisoning
If a CDN is present, it is possible to force the caching of bad pages/resources, or 404 pages on the application routes, rendering the application unusable.
We can force a 404 error on the /ssr page like this : curl -i -H "x-forwarded-proto: https://localhost/vulnerable?" http://localhost:4321/ssr
Same logic applies to x-forwarded-port : curl -i -H "x-forwarded-port: /vulnerable?" http://localhost:4321/ssr
How is this possible?
The router sees the request for the path /vulnerable, which does not exist, and therefore returns a 404, while the potential CDN sees /ssr and can then cache the 404 response, consequently serving it to all users requesting the path /ssr.
URL pollution
The exploitability of the following is also contingent on the presence of a CDN, and is therefore cache poisoning.
If the value of request.url is used to create links within the page, this can lead to Stored XSS with x-forwarded-proto and the following value:
If the value of request.url is used to create links within the page, this can lead to broken links, with the header and the following value:
X-Forwarded-Port: /nope?
Example of an Astro website belonging to one of our clients :
WAF bypass
For this section, we invite you to read our previous research on the React-Router/Remix framework, in the section "Exploitation - WAF bypass and escalations". This research deals with a similar case, the difference being that the vulnerable header was x-forwarded-host in their case:
It is possible to completely bypass the vulnerability patch related to the X-Forwarded-Host header.
By sending x-forwarded-host with an empty value, the forwardedHostname variable is assigned an empty string. Then, during the subsequent check, the condition fails because forwardedHostname returns false, its value being an empty string:
if (forwardedHostname && !App.validateForwardedHost(...))
Consequently, the implemented check is bypassed. From this point on, since the request has no host (its value being an empty string), the path value is retrieved by the URL parser to set it as the host. This is because the http/https schemes are considered special schemes by the WHATWG URL Standard Specification, requiring an authority state.
From there, the following request on the example SSR application (astro repo) yields an SSRF: empty x-forwarded-host + the target host in the path
Summary
In impacted versions of Astro using on-demand rendering, request headers
x-forwarded-protoandx-forwarded-portare insecurely used, without sanitization, to build the URL. This has several consequences, as we will see below, the most important of which are:x-forwarded-proto)x-forwarded-proto)Details
The
x-forwarded-protoandx-forwarded-portheaders are used without sanitization in two parts of the Astro server code. The most important is in thecreateRequest()function. Any configuration, including the default one, is affected:astro/packages/astro/src/core/app/node.ts
Line 97 in 970ac0f
astro/packages/astro/src/core/app/node.ts
Line 121 in 970ac0f
These header values are then used directly to construct URLs.
By injecting a payload at the protocol level during URL creation (via the
x-forwarded-protoheader), we can rewrite the entire URL, including the host, port and path, and then pass the rest of the URL, the real hostname and path, as a query so that it doesn't affect (re)routing.If we inject the following header value when requesting the path
/ssr:The complete URL that will be created is:
https://www.malicious-url.com/?tank=://localhost/ssrAs a reminder, URLs are created like this:
Our value is injected at the beginning of the string (
${protocol}), and ends with a query?tank=whose value is the rest of the string,://${hostnamePort}${req.url}.This way we have control over the routing without affecting the path, and can manipulate the URL arbitrarily. This behavior can be exploited in various ways, as we will see in the PoC section.
The same logic applies to
x-forwarded-port, with a few differences.Note
The
createRequestfunction is called every time a non-static page is requested. Therefore, all non-static pages are exploitable for reproducing the attack.PoC
For our PoC, we will use a minimal repository:
2.16.0)/ssr), the other simulating an admin page (/admin) protected by a middlewareDownload the PoC repository
Middleware-based protected route bypass - x-forwarded-proto only
The middleware has been configured to protect the
/adminroute based on the official documentation:When we try to access
/adminwe are naturally redirected :We can bypass the middleware path check using a malicious header value:
curl -i -H "x-forwarded-proto: x:admin?" http://localhost:4321/adminHow is this possible?
Here, with the payload
x:admin?, we use the URL API parser to our advantage:x:is considered the protocol//, the parser considers there to be no authority, and everything before the?character is therefore considered part of the path:adminDuring a path-based middleware check, the path value begins with a
/:context.url.pathname === "/admin". However, this is not the case with our payload;context.url.pathname === "admin", the absence of a slash satisfies both the middleware check and the router and consequently allows us to bypass the protection and access the page.SSRF
As we have seen, the request URL is built from untrusted input via the
x-forwarded-protocolheader, if it turns out that this URL is subsequently used to perform external network calls, for an API for example, this allows an attacker to supply a malicious URL that the server will fetch, resulting in server-side request forgery (SSRF).Example of code reusing the "origin" URL, concatenating it to the API endpoint :
DoS via cache poisoning
If a CDN is present, it is possible to force the caching of bad pages/resources, or 404 pages on the application routes, rendering the application unusable.
We can force a
404error on the/ssrpage like this :curl -i -H "x-forwarded-proto: https://localhost/vulnerable?" http://localhost:4321/ssrSame logic applies to
x-forwarded-port:curl -i -H "x-forwarded-port: /vulnerable?" http://localhost:4321/ssrHow is this possible?
The router sees the request for the path
/vulnerable, which does not exist, and therefore returns a404, while the potential CDN sees/ssrand can then cache the404response, consequently serving it to all users requesting the path/ssr.URL pollution
The exploitability of the following is also contingent on the presence of a CDN, and is therefore cache poisoning.
If the value of
request.urlis used to create links within the page, this can lead to Stored XSS withx-forwarded-protoand the following value:results in the following URL object:
It is also possible to inject any link, always, if the value of
request.urlis used on the server side to create links.We are more limited with
x-forwarded-portIf the value of
request.urlis used to create links within the page, this can lead to broken links, with the header and the following value:Example of an Astro website belonging to one of our clients :
WAF bypass
For this section, we invite you to read our previous research on the React-Router/Remix framework, in the section "Exploitation - WAF bypass and escalations". This research deals with a similar case, the difference being that the vulnerable header was
x-forwarded-hostin their case:https://zhero-web-sec.github.io/research-and-things/react-router-and-the-remixed-path
Note: A section addressing DoS attacks via cache poisoning using the same vector was also included there.
CVE-2025-61925 complete bypass
It is possible to completely bypass the vulnerability patch related to the
X-Forwarded-Hostheader.By sending
x-forwarded-hostwith an empty value, theforwardedHostnamevariable is assigned an empty string. Then, during the subsequent check, the condition fails becauseforwardedHostnamereturnsfalse, its value being an empty string:Consequently, the implemented check is bypassed. From this point on, since the request has no
host(its value being an empty string), the path value is retrieved by the URL parser to set it as thehost. This is because thehttp/httpsschemes are considered special schemes by the WHATWG URL Standard Specification, requiring anauthority state.From there, the following request on the example SSR application (astro repo) yields an SSRF:
empty
x-forwarded-host+ the targethostin the pathCredits