CVE-2025-64757: 
JavaScript vulnerability analysis and mitigation

A vulnerability (CVE-2025-64757) has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability was discovered in November 2025 and affects Astro development environments running versions < 5.14.3. This security flaw enables remote attackers to read any image file accessible to the Node.js process on the host system (GitHub Advisory).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-23 (Relative Path Traversal). It exists in the Node.js image endpoint handler used during development mode, specifically in the /packages/astro/src/assets/endpoint/node.ts component. The vulnerability has a CVSS v3.1 base score of 3.5 (Low severity) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The development branch bypasses the security checks that exist in the production code path, which normally validates that file paths are within the allowed assets directory (GitHub Advisory).

The vulnerability has a HIGH confidentiality impact, allowing attackers to read any image file accessible to the Node.js process via HTTP response. While the vulnerability does not affect system integrity or availability directly, it could potentially be used for resource exhaustion through repeated large image requests. The scope is limited to the local development environment (GitHub Advisory).

The vulnerability has been patched in Astro version 5.14.3 and later. Users are advised to upgrade to the patched version to prevent potential exploitation. The production environment is not affected as it implements proper path validation (GitHub Advisory).