Authorization Bypass in Astro Web Framework Affects Version 6.4.7
CVE-2026-59731
8.2HIGH
What is CVE-2026-59731?
The Astro web framework, particularly in version 6.4.7, is susceptible to a security flaw that allows for unauthorized access to protected routes. This occurs due to the framework's reliance on a partially decoded pathname after it hits the iterative URL decoder limit during authorization decisions. Subsequently, the routing process may incorrectly permit access to these secured routes following an additional decodeURI() operation. Versions following 6.4.7 address this vulnerability, emphasizing the importance of upgrading to version 6.4.8 or later.
Affected Version(s)
astro >= 6.4.7, < 6.4.8
