Vulnerability	Vulnerable Version
M Use of Non-Canonical URL Paths for Authorization Decisions astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions due to improper URL decoding logic. The pathname validation used for protecting routes decodes the request path only once, allowing double-encoded sequences to bypass path-based authentication checks. An attacker can exploit this by submitting double-encoded URLs to access protected routes such as /admin or /api/internal, enabling unauthorized access to restricted functionality. Note: There has been an attempt to fix this vulnerability in version 5.15.8 following CVE-2025-64765, but the fix is insufficient. How to fix Use of Non-Canonical URL Paths for Authorization Decisions? Upgrade `astro` to version 5.16.3 or higher.	<5.16.3

Use of Non-Canonical URL Paths for Authorization Decisions

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions due to improper URL decoding logic. The pathname validation used for protecting routes decodes the request path only once, allowing double-encoded sequences to bypass path-based authentication checks. An attacker can exploit this by submitting double-encoded URLs to access protected routes such as /admin or /api/internal, enabling unauthorized access to restricted functionality.

Note: There has been an attempt to fix this vulnerability in version 5.15.8 following CVE-2025-64765, but the fix is insufficient.

How to fix Use of Non-Canonical URL Paths for Authorization Decisions?

Upgrade astro to version 5.16.3 or higher.

<5.16.3

Go back to all versions of this package