CVE-2025-64764 – A reflected cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-64764?

CVE-2025-64764 has a CVSS score of 7.1 (HIGH). A reflected cross-site scripting (XSS) vulnerability exists in Astro web framework when using server islands feature. Attackers can inject malicious scripts that execute in users' browsers when they visit crafted URLs. This affects all Astro applications using server islands prior to version 5.15.8.

📋 TL;DR

A reflected cross-site scripting (XSS) vulnerability exists in Astro web framework when using server islands feature. Attackers can inject malicious scripts that execute in users' browsers when they visit crafted URLs. This affects all Astro applications using server islands prior to version 5.15.8.

💻 Affected Systems

Products:

Astro web framework

Versions: All versions prior to 5.15.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using server islands feature. Static sites without server islands are not vulnerable.

📦 What is this software?

Astro by Astro

View all CVEs affecting Astro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal user session cookies, credentials, or perform actions on behalf of authenticated users, potentially leading to account takeover and data theft.

🟠

Likely Case

Attackers execute arbitrary JavaScript in victim browsers, potentially stealing session tokens or redirecting users to malicious sites.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited, but the vulnerability still exists in the framework itself.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS typically requires user interaction (clicking malicious link) but is straightforward to exploit once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.15.8

Vendor Advisory: https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723

Restart Required: Yes

Instructions:

1. Update Astro package: npm update astro@5.15.8
2. Restart your Astro development server
3. Rebuild and redeploy your application

🔧 Temporary Workarounds

Disable server islands

all

Temporarily disable server islands feature if not essential

Remove or comment out server island components in your Astro project

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to restrict script execution
Deploy web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check package.json for Astro version below 5.15.8 and verify server islands are used

Check Version:

npm list astro | grep astro

Verify Fix Applied:

Confirm Astro version is 5.15.8 or higher in package.json and dependencies

📡 Detection & Monitoring

Log Indicators:

Unusual URL parameters containing script tags or JavaScript code
Multiple failed requests with suspicious query strings

Network Indicators:

HTTP requests with script payloads in query parameters
Unusual redirect patterns

SIEM Query:

web.logs | where url contains "<script>" or url contains "javascript:"

📊 Metadata

CVE ID: CVE-2025-64764

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CWE: CWE-80

EPSS Score: 0.47% exploit probability (64th percentile)

Published: November 19, 2025

Last Updated: November 20, 2025

🔗 References

https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91 Patch
https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64764, you might also want to check these: