Minimal reproduction for an Astro core bug: on-demand routes return 400 Bad Request for any path containing a double URL-encoded character.
npm installnpm run dev- Open
http://localhost:4321/foo%255Bbar%255D(%255Bis a double-encoded[)
Expected: the route renders ("Matched path: foo%5Bbar%5D").
Actual: 400 Bad Request.
A plain path (/foobar) and a single-encoded path (/foo%5Bbar%5D) both return 200. Only multi-level (%25xx) encoding 400s.
The rejection comes from validateAndDecodePathname in astro/dist/core/util/pathname.js (the CVE-2025-66202 guard). It runs inside the FetchState constructor, before route matching and before middleware, so it cannot be intercepted in user code.