Use of Non-Canonical URL Paths for Authorization Decisions Affecting astro package, versions <6.4.8


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.27% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-ASTRO-17901336
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditEclso

Introduced: 8 Jul 2026

NewCVE-2026-59731  (opens in a new tab)
CWE-647  (opens in a new tab)

How to fix?

Upgrade astro to version 6.4.8 or higher.

Overview

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions in validateAndDecodePathname and rewrite routing in findRouteToRewrite. An attacker can reach protected routes by sending an over-encoded URL whose path is only partially decoded for middleware checks but then decoded again during route matching. This lets unauthenticated requests slip past pathname-based middleware authorization and still resolve to routes such as /admin or /api/admin. The result is unauthorized access to protected pages or APIs that the application intended to block.

Notes

  • The bypass is only exposed in deployments that are authorized by inspecting context.url.pathname and then handing the request back into Astro’s rewrite flow with next(context.url), so middleware and routing can see different pathname representations for the same request.
  • The affected route checks are not limited to page paths; the maintainer’s advisory examples include API and other internal endpoints, so applications using pathname-based protections for non-page handlers are in scope as well.

CVSS Base Scores

version 4.0
version 3.1