Authentication Bypass Vulnerability in Astro Web Framework
CVE-2025-66202

6.5MEDIUM

Key Information:

Vendor

Withastro

Status
Astro
Vendor
CVE Published:
8 December 2025

What is CVE-2025-66202?

The Astro web framework versions 5.15.7 and earlier are susceptible to a double URL encoding bypass that enables unauthenticated attackers to circumvent path-based authentication measures in middleware. This vulnerability permits unauthorized access to restricted routes. Although a fix was applied in version 5.15.8 to address a similar issue identified in CVE-2025-64765, it inadequately resolves the problem as it only processes the URL encoding once. Attackers can exploit this weakness by utilizing double-encoded URLs, successfully gaining entry to any middleware-protected routes.

Affected Version(s)

astro < 5.15.8

References

https://github.com/withastro/astro/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/withastro/astro/security/advisories/GH...
x_refsource_MISC
https://github.com/withastro/astro/commit/6f800813516b07b...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.