Astro middleware authentication checks based on url.pathname can be bypassed...

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8.

Basic Information

ID CVE-2025-64765

Source GitHub_M

Published Nov 19, 2025 at 16:41

Modified Nov 19, 2025 at 21:07

Affected Product

Vendor withastro

Product astro

Version < 5.15.8

Affected Versions withastro astro < 5.15.8

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application\u2019s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8.",
    "published": "2025-11-19T16:41:19.022Z",
    "modified": "2025-11-19T21:07:58.660Z",
    "type": "cve",
    "title": "Astro middleware authentication checks based on url.pathname can be bypassed via url encoded values",
    "source": "GitHub_M",
    "references": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794\nhttps://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce",
    "id": "CVE-2025-64765",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "withastro astro < 5.15.8",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "astro",
    "version": "< 5.15.8",
    "vendor": "withastro",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Astro middleware authentication checks based on url.pathname can be bypassed via url encoded values_CVE-2025-64765