Path Validation Flaw in Astro Web Framework by Astro
CVE-2025-64765

6.9MEDIUM

Key Information:

Vendor: Withastro
Status: Astro
Vendor: CVE Published:; 19 November 2025

What is CVE-2025-64765?

The Astro Web Framework contains a vulnerability that arises from a discrepancy in how request paths are normalized for routing compared to how the application middleware validates those paths. Specifically, Astro uses decodeURI() to normalize the request paths for rendering routes, while the middleware relies on context.url.pathname without applying similar normalization. This inconsistency allows attackers to access protected routes by using encoded path variants that can bypass necessary validation checks. The issue has been addressed in version 5.15.8, emphasizing the importance of upgrading to maintain security integrity.

Affected Version(s)

astro < 5.15.8

References

https://github.com/withastro/astro/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/withastro/astro/commit/6f800813516b07b...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Nov 10, 2025

JSON

Withastro

What is CVE-2025-64765?

Affected Version(s)

References

CVSS V4

Timeline