Home > Vulnerability Database > CVE-2025-64757

Mend.io Vulnerability Database

CVE-2025-64757

Good to know:

Date: November 19, 2025

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.

Severity Score

3.5

Related Resources (5)

Url: https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7

Url: https://github.com/withastro/astro

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64757

Url: https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g

Url: https://www.mend.io/vulnerability-database/CVE-2025-64757

Severity Score

3.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Relative Path Traversal

CWE-23

Top Fix

Upgrade Version

Upgrade to version astro - 5.14.3;https://github.com/withastro/astro.git - astro@5.14.3;https://github.com/withastro/astro.git - @astrojs/internal-helpers@0.7.4

Learn More

CVSS v3.1

Base Score:	3.5
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64757

Good to know:

Date: November 19, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?