CVE-2026-25545: SSRF in @astrojs/node via Host Header Injection with PoC

Thinking Process: 1. Analyze the Request: Task: Translate a Chinese vulnerability intelligence summary to English. Role: Professional translator specializing in cybersecurity. Format: Maintain all Markdown formatting intact. Constraint: Do not add any introductory or concluding remarks. Just output the English translation. Input: A Markdown snippet containing vulnerability details (Overview, Description, Remediation, PoC/Testing). 2. Analyze the Input Content: Header: (Key Vulnerability Information) Section 1: (Vulnerability Overview) Fields: Type, Affected Library, Affected Version, Fixed Version, Severity, CVE ID, Weakness Type. Specific terms: "Full-Read SSRF via Host: header injection", "@astrojs/node (npm)", "中等 (6.9/10)", "CWE-918". Section 2: (Vulnerability Description) Subsection: (Summary) Subsection: (Details) Content: SSRF vulnerability in SSR pages returning errors with prerendered custom error pages. Attacker injects Host header. logic mentioned. Section 3: (Remediation Recommendations) Update version. Implement security validation (filter Host header). Configure internal network policies. Section 4: (Example Code and Testing Steps) PoC details. Related information (impact, scenarios). Reporters. 3. Drafting the Translation (Iterative Process): -> -> -> (Keep English terms as they are technical) -> -> -> -> -> -> -> -> -> (This part is already in English in the input, but I need to check if I should translate it or keep it. The prompt says "Translate the following Chinese vulnerability intelligence summary". The input contains mixed Chinese and English. Usually, in such tasks, I should translate the Chinese parts and keep the existing English technical terms intact. However, looking closely at the input, the "Summary" content is actually in English already in the provided text. Wait, let me re-read the input carefully.) Correction: The input text provided by the user contains English text in the "Summary" and "Details" sections partially? Let's look at the input again: (Chinese) (Mixed) (Mixed) ... (Chinese) (Chinese) (English) (Chinese) (Chinese) Decision: I need to translate the Chinese parts into English. The existing English parts (like the Summary content) should remain as is or be polished if they look like a draft, but since the instruction is to translate the summary, I should ensure the whole output is in English. The existing English text in the input seems to be part of the source text provided. I will keep the existing English text as is (since it's already English) but translate the surrounding Chinese labels and the Chinese paragraphs. Actually, looking at the "Summary" content: This is already English. I will keep it. "Details" content: This is Chinese. I need to translate this. "Remediation" content: Chinese. Translate. "Example Code" content: Chinese. Translate. Refining "Details" translation: Host: -> Host: statusURL -> statusURL Refining "Remediation" translation: @astrojs/node -> @astrojs/node Host: -> Host: -> Refining "Example Code" translation: -> -> -> 4. Final Review: Check Markdown syntax (headers, bolding, lists). Ensure no extra text is added. Ensure terminology is accurate for cybersecurity context (e.g., "SSRF", "Host header", "Prerendered", "PoC"). Self-Correction on "Summary" section: The input has followed by English text. I should translate the label to . The content is already English, so I leave it. Self-Correction on "Details" section: The input has followed by Chinese text. I translate the label to and the text to English. Self-Correction on "PoC" section: -> . 5. Final Polish: Make sure the tone is professional. Ensure version numbers and CVE IDs are exact. Input Check: . This looks like a future CVE (2026), but I must translate exactly as provided. Input Check: . Keep as is. Let's assemble the output. Wait, checking the "Summary" section in the input again. Input: Output should keep the structure. Input: Output should translate both label and content. One detail: -> . -> . -> . -> . -> . -> . Looks good. I will generate the output now. Wait, one small check on "Full-Read SSRF". In the input it is . I will keep it. Check on . In the input it is . I will keep it. Check on . Keep it. Final check on constraints: "Do not add any introductory or concluding remarks". "Maintain all Markdown formatting intact". Ready. One minor adjustment: In the "Details" section, the input has inside backticks in the Chinese text . I should preserve the backticks in the translation . Input: 头 -> header. Input: -> . Let's finalize the translation of the "Details" paragraph for flow. "Attackers can modify the header to redirect their requests to their own server, thereby initiating subsequent internal requests. In the example code, is used to receive the response and return it to the client; if the response is valid, sensitive information can be further accessed." "thereby" sounds slightly better than "and subsequently". Let's use "and subsequently" to stay closer to the original

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-25545: SSRF in @astrojs/node via Host Header Injection with PoC

More from this source