Moderate severityNVD Advisory· Published Dec 8, 2025· Updated Dec 9, 2025
Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765
CVE-2025-66202
Description
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
astronpm | < 5.15.8 | 5.15.8 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-whqg-ppgf-wp8cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64765ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66202ghsaADVISORY
- github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ceghsax_refsource_MISCWEB
- github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794ghsax_refsource_MISCWEB
- github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.