CVE-2025-66202: Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765
(updated )
A double URL encoding bypass allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 (single URL encoding) was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs like /%2561dmin instead of /%61dmin, attackers can still bypass authentication and access protected resources such as /admin, /api/internal, or any route protected by middleware pathname checks.
References
- github.com/advisories/GHSA-whqg-ppgf-wp8c
- github.com/withastro/astro
- github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce
- github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794
- github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c
- nvd.nist.gov/vuln/detail/CVE-2025-64765
- nvd.nist.gov/vuln/detail/CVE-2025-66202
Code Behaviors & Features
Detect and mitigate CVE-2025-66202 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →