CVE-2025-64765: 
JavaScript vulnerability analysis and mitigation

CVE-2025-64765 affects Astro web framework versions prior to 5.15.8. The vulnerability stems from a mismatch between how Astro normalizes request paths for routing/rendering and how the application's middleware reads the path for validation checks. Discovered and disclosed on November 19, 2025, this vulnerability impacts the authentication and authorization mechanisms in Astro applications (GitHub Advisory).

The vulnerability exists due to inconsistent path normalization between Astro's router and middleware components. While Astro's router applies decodeURI() to determine which route to render, the middleware uses context.url.pathname without applying the same normalization. This creates a security gap where URL-encoded paths are handled differently by different parts of the application. The vulnerability has a CVSS v4.0 Base Score of 6.9 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (NVD).

The vulnerability allows attackers to bypass middleware security checks by using URL-encoded path variants. For example, a protected route like /admin could be accessed using encoded variants such as /%61dmin, effectively circumventing authentication and authorization controls put in place through middleware (GitHub Advisory, Miggo).

The vulnerability has been patched in Astro version 5.15.8. The fix ensures that middleware context receives the same normalized pathname value that Astro uses internally for routing. Users should upgrade to version 5.15.8 or later to address this vulnerability. The patch modifies how URL paths are handled, ensuring consistent path normalization across both routing and middleware components (GitHub Advisory).