CVE-2025-66202

Name of the Vulnerable Software and Affected Versions Astro versions 5.15.7 and below

Description Astro, a web framework, is affected by a double URL encoding bypass. This allows unauthenticated attackers to bypass path-based authentication checks in Astro middleware, potentially granting unauthorized access to protected routes. The initial fix in version 5.15.8 was insufficient, as it only decoded URLs once. Attackers can exploit this by using double-encoded URLs to bypass authentication and access routes protected by middleware pathname checks. The vulnerable component is the middleware pathname checks.

Recommendations Update to a version later than 5.15.7.