CVE-2026-59731
Received
Received - Intake
Astro Framework Authorization Bypass via URL Decoding
Vulnerability report for CVE-2026-59731, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-08
Last updated on: 2026-07-08
Assigner: GitHub, Inc.
Description
Description
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit, while later rewrite route matching performs an additional decodeURI() operation and can resolve the request to a protected route. This issue is fixed in version 6.4.8.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| withastro | astro | 6.4.7 |
| withastro | astro | 6.4.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-647 | The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization. |