Relative Path Traversal Affecting astro package, versions <5.14.3

Q: How to fix?

Upgrade astro to version 5.14.3 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Relative Path Traversal vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JS-ASTRO-14059139
published20 Nov 2025
disclosed19 Nov 2025
creditMonish Basaniwal

Report a new vulnerability Found a mistake?

Introduced: 19 Nov 2025

NewCVE-2025-64757 (opens in a new tab) CWE-22 (opens in a new tab) CWE-23 (opens in a new tab)

How to fix?

Upgrade astro to version 5.14.3 or higher.

Overview

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Relative Path Traversal via the href parameter in the image optimization endpoint during development mode. An attacker can access arbitrary local image files readable by the Node.js process by sending crafted HTTP requests specifying absolute file paths.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Adjacent
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None