MEDIUM🇬🇧 English

CVE-2025-66202

CVSS 6.5v3.1pub. 2025-12-09upd. 2025-12-10

Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • Astro

    APP
    Astro
    < 5.15.8
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Auth Bypass
CWE
Referencje

Powiązane podatności

CVE-2026-50146HIGH7.1ten sam produkt

Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot...

CVE-2026-54299HIGH7.5ten sam produkt

Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using expo...

CVE-2025-64764HIGH7.1ten sam produkt

Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server is...

CVE-2025-59837HIGH7.2ten sam produkt

Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image ...

CVE-2024-56159HIGH7.8ten sam produkt

Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated us...

CVE-2025-66202 — MEDIUM 6.5 | CVEbaza.pl