CVE-2025-64745: 
JavaScript vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2025-64745) was discovered in Astro's development server error pages when using the trailingSlash configuration option. The vulnerability affects versions >= 5.2.0 and was patched in version 5.15.6. This security issue was disclosed on November 13, 2025, and primarily impacts the development server environment (GitHub Advisory).

The vulnerability exists in the trailingSlashMismatchTemplate function within astro/packages/astro/src/template/4xx.ts. The issue stems from the corrected variable, derived from user-controlled pathname parameter, being directly interpolated into HTML without proper escaping. While the pathname variable is escaped elsewhere (line 114: escape(pathname)), the corrected variable remains unsanitized before insertion into both href attributes and link text. The vulnerability was introduced in commit 536175528 through PR #12994, which implemented trailing slash redirection for on-demand rendered pages (GitHub Advisory, Miggo).

While this vulnerability only affects the development server and not production builds, it could potentially be exploited to compromise developer environments through social engineering or malicious links. The vulnerability allows attackers to inject arbitrary JavaScript code that executes in the victim's browser context (GitHub Advisory).

The vulnerability has been patched in Astro version 5.15.6. Users should upgrade to this version or later to mitigate the risk. The fix involves properly escaping the corrected variable before its insertion into the HTML template (GitHub Advisory).