anonhaven
Ad

CVE-2025-64764

HIGH CVSS 3.1: 7.1 EPSS 0.54%
Updated Nov 20, 2025
Astro
Parameter Value
CVSS 7.1 (HIGH)
Affected Versions before 5.15.8
Fixed In 5.15.8
Type CWE-80 (Improper Neutralization of Script-Related HTML Tags (XSS))
Vendor Astro
Public PoC No

Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-80 Improper Neutralization of Script-Related HTML Tags (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Astro Astro
cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*
 5.15.8

References 2

https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009…
security-advisories@github.com
https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33769

Astro

2.9

CVE-2026-33768

Withastro

9.1

CVE-2026-29772

Payload

7.5

CVE-2025-64745

Astro

2.7

CVE-2025-64525

Astro

6.5