Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NAstro
APPAstro< 5.15.8
Powiązane podatności
Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot...
Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using expo...
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server is...
Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image ...
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated us...