cbcvebase.
CVE-2025-64764
published 2025-11-19

CVE-2025-64764: Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted…

PriorityP279medium5.4CVSS 3.1
AVNACLPRNUIRSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.45%
35.6th percentile
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.

Affected

3 ranges
VendorProductVersion rangeFixed in
astroastro< 5.15.85.15.8
astroastro>= 0 < 5.15.85.15.8
withastroastro< 5.15.85.15.8

Detection & IOCsextracted from sources · hover to see the quote

url/_server-islands/{{value}}?e=file&p=&s={"{{rand}}":""}
path/_server-islands/
othershodan: html:"_server-islands"
  • Probe for the server islands endpoint by sending a GET request to /_server-islands/<component>?e=file&p=&s={...} and check for a 200 response containing the injected payload string in the body.
  • Identify Astro applications exposing the server islands feature by searching for the string '_server-islands' in HTML responses (e.g., via Shodan query html:"_server-islands").
  • The reflected XSS payload is delivered via the query parameters of the /_server-islands/ path; look for requests matching the regex /_server-islands/[^?]+\?e= in web server access logs.
  • ·The vulnerability only affects Astro applications that have the server islands feature enabled; applications not using server islands are not exploitable.
  • ·The issue is fixed in Astro version 5.15.8; versions prior to 5.15.8 are vulnerable regardless of component template content.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
vulncheck7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.