CVE-2025-66202
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66202
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
withastro astro 5.15.8
withastro astro 5.15.7
astro astro to 5.15.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-647 The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability in the Astro web framework (versions 5.15.7 and below) involves a double URL encoding bypass. It allows an unauthenticated attacker to bypass path-based authentication checks in Astro middleware by using double-encoded URLs. Although a previous fix was applied in version 5.15.8, it only decoded once, which was insufficient. Attackers can exploit this to gain unauthorized access to protected routes.

Impact Analysis

The vulnerability can allow attackers who are not authenticated to bypass authentication controls and access protected routes within an Astro-based web application. This unauthorized access could lead to exposure of sensitive information or functionality that should be restricted.

Mitigation Strategies

Upgrade Astro to version 5.15.8 or later, as this version includes the fix for the double URL encoding bypass vulnerability.

Detection Guidance

This vulnerability can be detected by testing if your Astro web application improperly handles double URL encoded paths, allowing access to protected routes without authentication. You can attempt to access protected routes using double-encoded URLs, for example, try accessing /%2561dmin instead of /%61dmin (which corresponds to /admin). If the application grants access to such double-encoded paths without proper authentication, it is vulnerable. A practical detection method is to send HTTP requests with double-encoded URLs to protected endpoints and observe if unauthorized access is granted. Example curl command to test this: curl -i http://yourserver.com/%2561dmin If the response allows access or does not return a 400 Bad Request, the system may be vulnerable. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart