CVE-2025-64765

Medium CVSS: 6.9

Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8.

Vendor

Astro

Product

Astro

CWE

CWE-22

Yayın Tarihi

2025-11-19 17:15:52

Güncelleme

2025-11-25 15:11:31

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Astro MEDIUM Astro 2025

Referanslar

https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794

Benzer Kayıtlar

Medium

CVE-2026-33768

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path head…

Low

CVE-2026-33769

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path…

Medium

CVE-2026-29772

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full reque…

Medium

CVE-2026-27829

Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domai…

Medium

CVE-2026-27729

Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit,…

Medium

CVE-2026-25545

Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered cus…