CVE-2025-64764: 
JavaScript vulnerability analysis and mitigation

Astro, a web framework, was found to contain a reflected XSS vulnerability (CVE-2025-64764) affecting versions prior to 5.15.8. The vulnerability was discovered on November 19, 2025, and is present when the server islands feature is used in the targeted application, regardless of the component template configurations (GitHub Advisory).

The vulnerability exists in the server islands feature which runs in an isolated context outside of the page request using the path pattern '/_server-islands/[name]'. The endpoint accepts three parameters: 'e' (component to export), 'p' (encrypted properties), and 's' (slots). When the 'e' parameter is set to 'file', it creates a template where the absolute path name is sanitized and injected as the tag name, and the value from the 's' parameter is injected as a child using markHTMLString. This allows for XSS payload injection regardless of the component template's intended configuration. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N (GitHub Advisory, NVD).

The vulnerability allows attackers to execute arbitrary scripts in the context of the user's browser by injecting malicious payloads into the parameters. This can lead to compromised user sessions, data theft, and potential manipulation of web application content (Snyk).

Users should upgrade to Astro version 5.15.8 or higher, which contains the patch for this vulnerability. The fix was implemented through a commit that addresses the issue (GitHub Commit).