CVE-2026-54299
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
Astro is a web framework that prior to version 6.4.6 had an issue with SSR apps using prerendered error pages. When an error occurred, these pages were fetched over HTTP, allowing an attacker to direct the request to an arbitrary host.
Risk Assessment
The lack of validation for the Host header allows an attacker to read responses from any host, potentially leading to the exposure of sensitive information.
Recommendation
It is recommended to upgrade to version 6.4.6 or later to mitigate this vulnerability and to implement Host header validation in applications.
Original NVD description (English source)
Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response. This vulnerability is fixed in 6.4.6.

