CVE-2025-55207: 
JavaScript vulnerability analysis and mitigation

Following CVE-2025-54793, an Open Redirect vulnerability was discovered in Astro's Node deployment adapter prior to version 9.4.1. The vulnerability affects Astro deployments using the Node adapter in standalone mode with trailingSlash set to "always" in the configuration. The issue was discovered on August 15, 2025, and allows maliciously crafted URLs to redirect users to untrusted external sites (GitHub Advisory).

The vulnerability occurs when URLs containing double forward slashes followed by an external domain (e.g., https://example.com//astro.build/press) are processed by the Node adapter. Instead of handling these URLs internally, the system redirects to the external origin (//astro.build/press). This behavior is specifically present when using the Node deployment adapter in standalone mode with trailingSlash configuration set to "always". The vulnerability has been assigned a CVSS v4.0 score of 5.5 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P (NVD).

This Open Redirect vulnerability (CWE-601) can be exploited by any unauthenticated user who clicks on a specially crafted link pointing to the affected domain. Since the redirected URL appears to originate from a legitimate domain, victims may be tricked into trusting the redirected page, potentially leading to credential theft, malware distribution, or other phishing-related attacks (GitHub Advisory).

The vulnerability has been patched in version 9.4.1 of the @astrojs/node package. Users are advised to upgrade to this version or later to mitigate the risk. The fix involves additional validation of internal paths to prevent unwanted redirects (GitHub Commit).