CVE-2025-64757 LOW

CVE-2025-64757: Astro Development Server is Vulnerable to Arbitrary Local File Read

Vendor Withastro
Product astro
Weakness CWE-22 · Path traversal
Published November 19, 2025
Last update November 19, 2025

CVSS base score

3.5/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.

Key dates

02Disclosure timeline

November 19, 2025 CVE published
November 19, 2025 Record updated