Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qhy1-e5yu-mff5
Vulnerability ID VCID-qhy1-e5yu-mff5
Aliases CVE-2025-64757
GHSA-x3h8-62x9-952g
Summary Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.
Status Published
Exploitability 0.5
Weighted Severity 3.1
Risk 1.6
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23 Relative Path Traversal
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00022 https://api.first.org/data/v1/epss?cve=CVE-2025-64757
epss 0.00022 https://api.first.org/data/v1/epss?cve=CVE-2025-64757
cvssv3.1_qr LOW https://github.com/advisories/GHSA-x3h8-62x9-952g
cvssv3.1 3.5 https://github.com/withastro/astro
generic_textual LOW https://github.com/withastro/astro
cvssv3.1 3.5 https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7
generic_textual LOW https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7
ssvc Track https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7
cvssv3.1 3.5 https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g
cvssv3.1_qr LOW https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g
generic_textual LOW https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g
ssvc Track https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g
cvssv3.1 3.5 https://nvd.nist.gov/vuln/detail/CVE-2025-64757
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2025-64757
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-64757
https://github.com/withastro/astro
b8ca69b97149becefaf89bf21853de9c905cdbb7 https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7
CVE-2025-64757 https://nvd.nist.gov/vuln/detail/CVE-2025-64757
GHSA-x3h8-62x9-952g https://github.com/advisories/GHSA-x3h8-62x9-952g
GHSA-x3h8-62x9-952g https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g
No exploits are available.
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/withastro/astro
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-19T21:04:14Z/ Found at https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-19T21:04:14Z/ Found at https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-64757
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.06312
EPSS Score 0.00022
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:57:29.865096+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/64xxx/CVE-2025-64757.json 38.6.0