CVE-2025-64765: 
JavaScript vulnerability analysis and mitigation

CVE-2025-64765 is a moderate severity vulnerability affecting Astro npm package versions below 5.15.8. The vulnerability was discovered and disclosed in November 2025, affecting the middleware authentication mechanism in Astro applications. The issue stems from a path normalization mismatch between how Astro internally processes request paths for routing/rendering and how the application's middleware validates these paths (GitHub Advisory).

The vulnerability exists due to a discrepancy in URL path handling where Astro internally applies decodeURI() to determine routes for rendering, while the middleware uses context.url.pathname without the same normalization. This creates a path normalization mismatch where encoded paths (e.g., /%61dmin) are properly decoded for routing but remain encoded during middleware validation checks (GitHub Advisory).

This vulnerability could allow attackers to bypass authentication checks and access protected routes by using URL-encoded path variants. For example, an attacker could access a protected /admin route by using encoded variants like /%61dmin, effectively bypassing any middleware-based security controls (GitHub Advisory).

The vulnerability has been patched in Astro version 5.15.8. Users should upgrade to this version or later to receive the fix. The patch ensures middleware context receives the same normalized pathname value that Astro uses internally, preventing path normalization bypass attempts (GitHub Advisory).