Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
- Severity:
- Medium
Description
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI).
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.15.8
- Patched version(s): 5.15.8
References
Related Issues
- Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 - CVE-2025-66202
- Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - CVE-2025-64525
- Astro vulnerable to reflected XSS via the server islands feature - CVE-2025-64764
- pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding - CVE-2025-11362
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 27, 2025