Skip to content

skezo/astro-double-encode-400

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

astro-double-encode-400

Minimal reproduction for an Astro core bug: on-demand routes return 400 Bad Request for any path containing a double URL-encoded character.

Steps

  1. npm install
  2. npm run dev
  3. Open http://localhost:4321/foo%255Bbar%255D (%255B is a double-encoded [)

Expected: the route renders ("Matched path: foo%5Bbar%5D"). Actual: 400 Bad Request.

A plain path (/foobar) and a single-encoded path (/foo%5Bbar%5D) both return 200. Only multi-level (%25xx) encoding 400s.

The rejection comes from validateAndDecodePathname in astro/dist/core/util/pathname.js (the CVE-2025-66202 guard). It runs inside the FetchState constructor, before route matching and before middleware, so it cannot be intercepted in user code.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors