@ampt/astro (=0.0.1-beta.1), @antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1) +383 more potentially affected by CVE-2025-64765 +1 more via astro (>=0.20.12 <=5.15.6)

astro NPM version =0.20.12, =1.0.0, =0.5.0, =1.0.0, =0.0.17, =0.0.2, =0.0.1, =0.2.0, =0.0.0-experimental-7c2f356, =0.0.0-experimental-7c2f356, =0.5.1 - @astro-sanctuary/toolbar-drupal =0.1.1 - @astrojs/og =0.0.1 and more Source cves: CVE-2025-64765, CVE-2025-66202 Source advisory:...

Use of Non-Canonical URL Paths for Authorization Decisions

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions due to improper URL decoding logic. The pathname validation used for...

@antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1), @anyauth/design-system (>=0.5.0 <=0.5.1) +19 more potentially affected by CVE-2025-64765 +1 more via astro (>=5.0.0-beta.5 <=5.16.2)

astro NPM version =5.0.0-beta.5, =1.0.0, =0.5.0, =0.0.1, =0.1.0, =0.0.1, =2.18.7, =0.1.2-alpha.1, =0.0.28, =0.0.28, =1.5.1, =1.13.2, =0.1.8, =1.0.21, =1.0.22 and more Source cves: CVE-2025-64765, CVE-2025-66202 Source advisory: SNYK:JS-ASTRO-14235580...

Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765

Authentication Bypass via Double URL Encoding in Astro Bypass for CVE-2025-64765 / GHSA-ggxq-hp9w-j794 --- Summary A double URL encoding bypass allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. Whi...

@ampt/astro (=0.0.1-beta.1), @antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1) +383 more potentially affected by CVE-2025-64765 +1 more via astro (>=0.20.12 <=5.15.6)

astro NPM version =0.20.12, =1.0.0, =0.5.0, =1.0.0, =0.0.17, =0.0.2, =0.0.1, =0.2.0, =0.0.0-experimental-7c2f356, =0.0.0-experimental-7c2f356, =0.5.1 - @astro-sanctuary/toolbar-drupal =0.1.1 - @astrojs/og =0.0.1 and more Source cves: CVE-2025-64765, CVE-2025-66202 Source advisory:...

CVE-2025-64765 Astro middleware authentication checks based on url.pathname can be bypassed via url encoded values

Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI to determine which route to render, while the...

CVE-2025-64765

Astro (web framework) vulnerability CVE-2025-64765 and related advisories describe a path normalization mismatch: Astro uses decodeURI for routing, while middleware reads context.url.pathname without the same normalization. This permits bypassing path-based authentication by double-encoded URLs (...