Skip to main content

Astro CVE-2026-59731

| EUVDEUVD-2026-42341 HIGH
Use of Non-Canonical URL Paths for Authorization Decisions (CWE-647)
2026-07-08 GitHub_M
8.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
8.2 HIGH

Remote, unauthenticated, low-complexity path-normalization bypass reaching protected routes gives high confidentiality and low integrity impact with no availability effect and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 18:02 EUVD
Analysis Generated
Jul 08, 2026 - 17:24 vuln.today

DescriptionCVE.org

Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit, while later rewrite route matching performs an additional decodeURI() operation and can resolve the request to a protected route. This issue is fixed in version 6.4.8.

AnalysisAI

Authorization bypass in the Astro web framework version 6.4.7 lets remote unauthenticated attackers reach protected routes by exploiting an inconsistency between how the framework decodes URL paths for auth decisions versus route matching. Because authorization runs against a path that hit the iterative URL-decoder limit while later rewrite matching applies an extra decodeURI(), a request that appears benign at the auth gate resolves to a guarded route afterward, exposing protected content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify protected Astro route
Delivery
Craft multiply-encoded pathname
Exploit
Auth check sees under-decoded path
Execution
Passes authorization gate
Persist
Rewrite decodeURI() resolves protected route
Impact
Protected content disclosed

Vulnerability AssessmentAI

Exploitation Exploitation requires an Astro 6.4.7 application that enforces access control on routes via the framework's own authorization/middleware layer and uses rewrite-based route matching - the flaw lives in the gap between the auth stage (which reads a path stuck at the iterative decoder limit) and the later decodeURI() rewrite match. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N, base 8.2) describes a network-reachable, low-complexity, unauthenticated bypass with high confidentiality and low integrity impact and no availability impact - consistent with unauthorized read/limited-write access to guarded routes rather than full compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a protected Astro route using multiply percent-encoded path segments so that the pathname still looks unprivileged after Astro's capped iterative decoding, passing the authorization check. Astro's rewrite route matcher then applies its extra decodeURI() pass, canonicalizes the path to the guarded route, and serves protected content to the unauthenticated attacker. …
Remediation Vendor-released patch: 6.4.8 - upgrade Astro to 6.4.8 or later (npm install astro@6.4.8) as the primary and complete fix, per the release at https://github.com/withastro/astro/releases/tag/astro@6.4.8 and advisory GHSA-vj59-8hwv-xxmv. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Astro deployments and identify instances running version 6.4.7 or earlier; document protected routes and sensitive data handled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Astro

View all
CVE-2018-7180 CRITICAL POC
9.8 Feb 17

SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla!. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2024-56159 HIGH POC
7.8 Dec 19

Astro is a web framework for content-driven websites. Rated high severity (CVSS 7.8), this vulnerability is remotely exp

CVE-2025-64764 HIGH POC
7.1 Nov 19

Astro is a web framework. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication

CVE-2025-55303 MEDIUM POC
6.9 Aug 19

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 6.9), this vulnerability is remotely e

CVE-2025-64525 MEDIUM POC
6.5 Nov 13

Astro is a web framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticatio

CVE-2025-54793 MEDIUM POC
5.5 Aug 08

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 5.5), this vulnerability is remotely e

CVE-2026-41248 CRITICAL
9.1 Apr 24

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c

CVE-2023-50249 HIGH
7.5 Dec 20

Sentry-Javascript is official Sentry SDKs for JavaScript. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2026-33768 MEDIUM
6.5 Mar 24

The @astrojs/vercel serverless adapter in Astro versions prior to 10.0.2 contains an unauthenticated path traversal vuln

CVE-2024-56140 MEDIUM
6.5 Dec 18

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2026-29772 MEDIUM
5.9 Mar 24

Astro web framework versions prior to 10.0.0 contain an unbounded JSON parsing vulnerability in the Server Islands POST

CVE-2024-47885 MEDIUM
5.4 Oct 14

The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to ver

Share

CVE-2026-59731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy