CVE-2026-59731
Astro 6.4.7 Authorization Bypass via Decode Iteration Limit and Rewrite Path Canonicalization Mismatch
CVSS Score
8.2
EPSS Score
0.3%
EPSS Percentile
18th
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit, while later rewrite route matching performs an additional decodeURI() operation and can resolve the request to a protected route. This issue is fixed in version 6.4.8.
| CWE | CWE-647 |
| Vendor | withastro |
| Product | astro |
| Published | Jul 8, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for withastro astro
Be the first to know when new high vulnerabilities affecting withastro astro are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
withastro / astro
>= 6.4.7, < 6.4.8
References
github.com: https://github.com/withastro/astro/security/advisories/GHSA-vj59-8hwv-xxmv github.com: https://github.com/withastro/astro/pull/17109 github.com: https://github.com/withastro/astro/commit/27c80ea92248993e5fce94b2c26d87d611ab6785 github.com: https://github.com/withastro/astro/releases/tag/[email protected]