{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64764", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-10T22:29:34.877Z", "datePublished": "2025-11-19T16:41:03.767Z", "dateUpdated": "2025-11-19T21:07:23.867Z"}, "containers": {"cna": {"title": "Astro is vulnerable to Reflected XSS via the server islands feature", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723"}, {"name": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91", "tags": ["x_refsource_MISC"], "url": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91"}], "affected": [{"vendor": "withastro", "product": "astro", "versions": [{"version": "< 5.15.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-19T16:41:03.767Z"}, "descriptions": [{"lang": "en", "value": "Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8."}], "source": {"advisory": "GHSA-wrwg-2hg8-v723", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-19T21:06:04.095169Z", "id": "CVE-2025-64764", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T21:07:23.867Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64764", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-19T21:06:04.095169Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T21:06:09.025Z"}}], "cna": {"title": "Astro is vulnerable to Reflected XSS via the server islands feature", "source": {"advisory": "GHSA-wrwg-2hg8-v723", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "withastro", "product": "astro", "versions": [{"status": "affected", "version": "< 5.15.8"}]}], "references": [{"url": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723", "name": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91", "name": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-19T16:41:03.767Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64764", "state": "PUBLISHED", "dateUpdated": "2025-11-19T21:07:23.867Z", "dateReserved": "2025-11-10T22:29:34.877Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-11-19T16:41:03.767Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "1015DFA8-9106-453C-9144-11E63ADA3B67", "versionEndExcluding": "5.15.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8."}], "id": "CVE-2025-64764", "lastModified": "2025-11-20T17:54:05.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-11-19T17:15:52.647", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}