How to fix CVE-2025-64765?

Within 7 days: Identify affected systems and apply vendor patches promptly. Review file handling controls.

Is Astro affected by CVE-2025-64765?

Organizations using Astro should be aware of notable risk from CVE-2025-64765, a path traversal vulnerability rated CVSS 6.9. This could allow unauthorized file access. Proof-of-concept code is publicly available. A patch is available and should be applied during regular vulnerability management.

CVE-2025-64765

MEDIUM

2025-11-19 [email protected]

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:23 vuln.today

Patch Released

Mar 28, 2026 - 19:23 nvd

Patch available

PoC Detected

Nov 25, 2025 - 15:11 vuln.today

Public exploit code

CVE Published

Nov 19, 2025 - 17:15 nvd

MEDIUM 6.9

Description

Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8.

Analysis

Astro is a web framework. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical Context

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8. Affected products include: Astro. Version information: version 5.15.8.

Affected Products

Astro.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +34

POC: +20

CVE-2025-64765 vulnerability details – vuln.today

Back

CVE-2025-64765

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-64765

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code