CVE-2025-64765: Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values

November 19, 2025 (updated November 27, 2025)

A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI).

This discrepancy may allow attackers to reach protected routes (e.g., /admin) using encoded path variants that pass routing but bypass validation checks.

References

github.com/advisories/GHSA-ggxq-hp9w-j794
github.com/withastro/astro
github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce
github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794
nvd.nist.gov/vuln/detail/CVE-2025-64765

Code Behaviors & Features

Detect and mitigate CVE-2025-64765 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →