CVE-2025-64764
published 2025-11-19CVE-2025-64764: Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted…
PriorityP279medium5.4CVSS 3.1
AVNACLPRNUIRSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.45%
35.6th percentile
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astro | astro | < 5.15.8 | 5.15.8 |
| astro | astro | >= 0 < 5.15.8 | 5.15.8 |
| withastro | astro | < 5.15.8 | 5.15.8 |
Detection & IOCsextracted from sources · hover to see the quote
url/_server-islands/{{value}}?e=file&p=&s={"{{rand}}":""}
path/_server-islands/
othershodan: html:"_server-islands"
- →Probe for the server islands endpoint by sending a GET request to /_server-islands/<component>?e=file&p=&s={...} and check for a 200 response containing the injected payload string in the body.
- →Identify Astro applications exposing the server islands feature by searching for the string '_server-islands' in HTML responses (e.g., via Shodan query html:"_server-islands").
- →The reflected XSS payload is delivered via the query parameters of the /_server-islands/ path; look for requests matching the regex /_server-islands/[^?]+\?e= in web server access logs.
- ·The vulnerability only affects Astro applications that have the server islands feature enabled; applications not using server islands are not exploitable.
- ·The issue is fixed in Astro version 5.15.8; versions prior to 5.15.8 are vulnerable regardless of component template content. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
vulncheck7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Astro vulnerable to reflected XSS via the server islands feature
ghsa·2025-11-19
CVE-2025-64764 [HIGH] CWE-79 Astro vulnerable to reflected XSS via the server islands feature
Astro vulnerable to reflected XSS via the server islands feature
## Summary
After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, **regardless of what was intended by the component template(s)**.
## Details
Server islands run in their own isolated context outside of the page request and use the following pattern path to hydrate the page: `/_server-islands/[name]`. These paths can be called via GET or POST and use three parameters:
- `e`: component to export
- `p`: the transmitted properties, encrypted
- `s`: for the slots
Slots are placeholders for external HTML content, and therefore allow, by default, the injection of code if the component template supports it, nothing exceptional in principle
OSV
Astro vulnerable to reflected XSS via the server islands feature
osv·2025-11-19
CVE-2025-64764 [HIGH] Astro vulnerable to reflected XSS via the server islands feature
Astro vulnerable to reflected XSS via the server islands feature
## Summary
After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, **regardless of what was intended by the component template(s)**.
## Details
Server islands run in their own isolated context outside of the page request and use the following pattern path to hydrate the page: `/_server-islands/[name]`. These paths can be called via GET or POST and use three parameters:
- `e`: component to export
- `p`: the transmitted properties, encrypted
- `s`: for the slots
Slots are placeholders for external HTML content, and therefore allow, by default, the injection of code if the component template supports it, nothing exceptional in principle
VulnCheck
astro astro Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
vulncheck·2025·CVSS 7.1
CVE-2025-64764 [HIGH] astro astro Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
astro astro Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.
Affected: astro astro
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-64764
No detection rules found.
Nuclei
Astro - Reflected XSS via server islands feature
nuclei·CVSS 5.4
CVE-2025-64764 [MEDIUM] Astro - Reflected XSS via server islands feature
Astro - Reflected XSS via server islands feature
Astro 5.15.8 contains a reflected XSS caused by improper handling of server islands feature, letting remote attackers execute scripts, exploit requires use of server islands in the application.
Template:
id: CVE-2025-64764
info:
name: Astro - Reflected XSS via server islands feature
author: DhiyaneshDk,zhero___
severity: high
description: |
Astro 5.15.8 contains a reflected XSS caused by improper handling of server islands feature, letting remote attackers execute scripts, exploit requires use of server islands in the application.
impact: |
Remote attackers can execute scripts in users' browsers, potentially leading to session hijacking or data theft.
remediation: |
Update to version 5.15.8 or later.
reference:
- https://zhero-web-sec.gi
No writeups or analysis indexed.
2025-11-19
Published
Exploited in the wild