CVE-2025-66202

Medium CVSS: 6.5

Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.

Vendor

Astro

Product

Astro

CWE

CWE-647

Yayın Tarihi

2025-12-09 00:15:48

Güncelleme

2025-12-10 23:46:47

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-647 Astro MEDIUM Astro 2025

Referanslar

https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794 https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c

Benzer Kayıtlar

Medium

CVE-2026-33768

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path head…

Low

CVE-2026-33769

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path…

Medium

CVE-2026-29772

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full reque…

Medium

CVE-2026-27829

Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domai…

Medium

CVE-2026-27729

Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit,…

Medium

CVE-2026-25545

Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered cus…