CVE-2025-64745: 
JavaScript vulnerability analysis and mitigation

CVE-2025-64745 is a vulnerability in Astro's development server error pages when the trailingSlash configuration option is used. The vulnerability was discovered in November 2025 and affects Astro versions >= 5.2.0, with a patch available in version 5.15.6 (GHSA Advisory).

The vulnerability is a Reflected Cross-Site Scripting (XSS) issue located in astro/packages/astro/src/template/4xx.ts. The root cause stems from the corrected variable, derived from the user-controlled pathname parameter, being directly interpolated into the HTML without proper escaping. While the pathname variable is escaped elsewhere, the corrected variable remains unsanitized before insertion into both the href attribute and link text (GHSA Advisory).

An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links (GHSA Advisory).

The vulnerability has been patched in Astro version 5.15.6. Users are advised to upgrade to this version or later to mitigate the risk. The fix involves proper escaping of the corrected variable before its insertion into the HTML template (GHSA Advisory).