CVEFinder.io

CVE-2025-64765

๐Ÿ”ถ medium
๐Ÿ” Scan for this CVE
Summary

Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the applicationโ€™s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypas

Description

Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the applicationโ€™s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8.

CVSS Score
5.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2025-11-19
First Seen: 2026-01-05
๐Ÿ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 19.7% of all 329,456 vulnerabilities in our database.

#264,595
Below average severity
Severity Percentile
๐ŸŽฏ CISA SSVC Assessment Updated: Nov 20, 2025
๐Ÿ” Exploitation Status
None
No known exploits
โš™๏ธ Automatable
YES
Can be exploited automatically
๐Ÿ’ฅ Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2025-11-25
Source NVD ๐Ÿ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-22

๐Ÿ“ฆ Affected Products 1

Vendor Product Status Affected Versions
astro astro Affected
< 5.15.8

๐Ÿ”— References 2

https://github.com/withastro/astro/commit/6f80081351...
Patch
https://github.com/withastro/astro/security/advisori...
Exploit Mitigation Third Party Advisory

๐Ÿ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-50146 โš ๏ธ high 7.1 0.2 Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content i... 2026-06-22
CVE-2026-54298 ๐Ÿ”ถ medium 4.2 0.2 Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterat... 2026-06-22
CVE-2026-54299 โš ๏ธ high 7.5 0.2 Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const p... 2026-06-22
CVE-2026-45028 ๐Ÿ”ถ medium 6.1 0.0 Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and inte... 2026-05-13
CVE-2026-41067 ๐Ÿ”ถ medium 6.1 0.0 Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a... 2026-04-24
CVE-2026-33769 ๐Ÿ”ถ medium 5.3 0.0 Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path... 2026-03-24
These CVEs affect the same products