CVE-2025-64765

Name of the Vulnerable Software and Affected Versions Astro versions prior to 5.15.8

Description Astro versions prior to 5.15.8 contain a path normalization discrepancy between how the framework routes requests and how middleware validates them. Astro uses decodeURI() to determine the route, while middleware uses context.url.pathname without the same normalization. This allows attackers to bypass validation checks and access protected routes using encoded path variants. The vulnerable code is located in the request handling logic, specifically where the pathname is determined for routing and rendering versus its use in middleware context. The issue arises because context.url.pathname returns the raw, unnormalized path, while the routing process uses the decoded version. An example request that could bypass the check is GET /%61dmin HTTP/1.1. The root cause is the inconsistent application of decodeURI() during path processing.

Recommendations Update to Astro version 5.15.8 or later.