chore(astro): Update dependency astro to v5.14.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
astro (source)	5.14.1 -> 5.14.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-61925

Summary

When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.

Details

Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.

It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.

This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.

As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.

Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.

PoC

• Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
• nvm use
• yarn run build
• node ./dist/server/entry.mjs
• curl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'
• Observe that the response reflects the malicious X-Forwarded-Host header

For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.

Impact

This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.

---

Release Notes

withastro/astro (astro)

v5.14.3

Compare Source

Patch Changes

• #​14505 28b2a1d Thanks @​matthewp! - Fixes Cannot set property manifest error in test utilities by adding a protected setter for the manifest property

• #​14235 c4d84bb Thanks @​toxeeec! - Fixes a bug where the "tap" prefetch strategy worked only on the first clicked link with view transitions enabled

---

Configuration

📅 Schedule: Branch creation - "" in timezone GMT, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Oct 13, 2025 4:18pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 48fceee

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6966

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6966

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6966

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6966

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6966

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6966

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6966

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6966

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6966

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6966

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6966

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6966

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6966

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6966

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6966

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6966

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6966

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6966

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6966

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6966

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6966

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6966

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6966

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6966

commit: 48fceee