Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64765

CVE-2025-64765: Astro Auth Bypass Vulnerability

CVE-2025-64765 is an authentication bypass flaw in Astro web framework that allows attackers to access protected routes using encoded paths. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-64765 Overview

CVE-2025-64765 is an authorization bypass vulnerability in the Astro web framework affecting versions prior to 5.15.8. The flaw stems from inconsistent URL path normalization between Astro's internal routing logic and application middleware. Astro applies decodeURI() when resolving which route to render, but middleware inspects context.url.pathname without the same normalization. Attackers can craft URL-encoded path variants that middleware validation treats as unprotected while the router resolves them to protected routes. This mismatch enables access to routes intended to be gated by middleware authorization checks. The issue is tracked under [CWE-22] and has been patched in Astro 5.15.8.

Critical Impact

Remote unauthenticated attackers can bypass middleware-based access controls to reach protected routes by sending percent-encoded path variants.

Affected Products

  • Astro framework versions prior to 5.15.8
  • Node.js applications built with vulnerable Astro releases
  • Server-rendered Astro deployments relying on middleware for route protection

Discovery Timeline

  • 2025-11-19 - CVE-2025-64765 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64765

Vulnerability Analysis

The vulnerability is a path traversal and authorization bypass class issue caused by inconsistent URI decoding. Astro's request pipeline decodes percent-encoded characters when matching routes, so a path like /admin and /%61dmin resolve to the same route handler. Middleware, however, reads context.url.pathname directly from the parsed URL, which preserves the raw encoded form. A middleware guard that checks if (pathname.startsWith('/admin')) will not match /%61dmin, but the Astro router still dispatches the request to the /admin route. The attacker gains unauthenticated access to functionality the developer explicitly attempted to protect.

Root Cause

The root cause is a normalization mismatch between two components of the request lifecycle. The renderer canonicalizes the path via decodeURI(), while new URL(request.url) used by middleware does not decode path segments. Any middleware relying on string comparisons against context.url.pathname therefore operates on a different representation than the router uses for dispatch.

Attack Vector

Exploitation requires only a crafted HTTP request over the network with no authentication or user interaction. An attacker substitutes any character of a protected path with its percent-encoded equivalent (for example, %61 for a) to evade middleware string matching while still hitting the intended route.

typescript
// Security patch in packages/astro/src/core/render-context.ts
// Normalize the URL exposed to middleware so it matches router behavior
		public clientAddress: string | undefined,
		protected cookies = new AstroCookies(request),
		public params = getParams(routeData, pathname),
-		protected url = new URL(request.url),
+		protected url = RenderContext.#createNormalizedUrl(request.url),
		public props: Props = {},
		public partial: undefined | boolean = undefined,
		public shouldInjectCspMetaTags = !!pipeline.manifest.csp,

// Security patch in packages/astro/src/vite-plugin-astro-server/request.ts
-	url.pathname = removeTrailingForwardSlash(config.base) + url.pathname;
+	url.pathname = removeTrailingForwardSlash(config.base) + decodeURI(url.pathname);

Source: GitHub Commit 6f80081

Detection Methods for CVE-2025-64765

Indicators of Compromise

  • HTTP request logs containing percent-encoded characters in path segments that map to protected routes, such as /%61dmin or /dashboa%72d.
  • Successful 200 responses to routes that should have returned 401, 403, or a redirect from middleware.
  • Spikes in requests targeting encoded variants of known administrative or authenticated endpoints.

Detection Strategies

  • Compare access logs of routes accessed via encoded paths against middleware audit logs to identify requests that reached handlers without middleware authorization events.
  • Deploy a web application firewall rule that normalizes and decodes request paths before evaluating allow/deny policies.
  • Perform grep-based inventory of the codebase for middleware using context.url.pathname in startsWith, equality, or regex checks without prior decodeURI() calls.

Monitoring Recommendations

  • Alert on any request whose raw path contains % characters and resolves to a route enumerated as protected.
  • Track anomalous authentication-free access to routes that historically require session cookies or bearer tokens.
  • Monitor Astro dependency versions across build pipelines to flag deployments still shipping releases prior to 5.15.8.

How to Mitigate CVE-2025-64765

Immediate Actions Required

  • Upgrade Astro to version 5.15.8 or later across all affected projects and rebuild deployment artifacts.
  • Audit every middleware file that inspects context.url.pathname and wrap comparisons with decodeURI() until the upgrade is complete.
  • Review server access logs for percent-encoded path variants targeting authenticated routes over the exposure window.

Patch Information

The fix is delivered in Astro 5.15.8 via commit 6f800813516b07bbe12c666a92937525fddb58ce. The patch introduces RenderContext.#createNormalizedUrl and applies decodeURI() to url.pathname in the Vite dev server request handler so middleware sees the same path the router resolves. See the Astro GitHub Security Advisory GHSA-ggxq-hp9w-j794 for the official disclosure.

Workarounds

  • Manually apply decodeURI(context.url.pathname) before any authorization comparison in middleware.
  • Reject requests containing % in path segments at the reverse proxy layer for environments that cannot upgrade immediately.
  • Add server-side authorization checks inside individual route handlers so middleware is not the sole enforcement point.
bash
# Upgrade Astro to the patched release
npm install astro@5.15.8

# Verify the installed version
npm ls astro

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.