Description
A vulnerability has been identified in the Astro framework’s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.14.3
- Patched version(s): 5.14.3
References
Related Issues
- Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 - CVE-2025-66202
- Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
- Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values - CVE-2025-64765
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 19, 2025