App.match() uses unguarded decodeURI — malformed request path throws uncaught URIError (500) in on-demand adapters

[timveil]

Astro Info

Astro                    v6.4.2
Node                     v24.15.0
System                   macOS (arm64) / Linux (Cloudflare Workers / workerd)
Package Manager          pnpm
Output                   static (with on-demand `prerender = false` routes)
Adapter                  @astrojs/cloudflare (v13.6.0)

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

App.match() (core/app/base.js) decodes the request pathname with a raw, unguarded decodeURI() in three places:

// core/app/base.js
const routeData = this.pipeline.matchRoute(decodeURI(pathname));      // ~L148
const allMatches = this.pipeline.matchAllRoutes(decodeURI(pathname)); // ~L155
routeData = this.pipeline.matchRoute(decodeURI(domainPathname));      // ~L262

If the request path contains a percent-sequence that is not valid UTF-8 — e.g. %C0%AF (an overlong-UTF-8 encoding of /, extremely common in automated path-traversal / .env scanners) — decodeURI() throws URIError: URI malformed.

On-demand adapters call App.match() directly per request. For example @astrojs/cloudflare's server handler:

// @astrojs/cloudflare/dist/utils/handler.js
routeData = app.match(request);   // not wrapped — URIError escapes the worker `fetch`

Because the throw happens before app.render(), it cannot be caught by user middleware (src/middleware.ts) either. The result is an uncaught exception → HTTP 500 (and, on Cloudflare, a logged worker exception) for any malformed request path, rather than a normal 404.

This is notable because Astro already handles this exact hazard gracefully everywhere else:

• getPathnameFromRequest() in the same file wraps decodeURI in try/catch and falls back to the raw pathname:

  // core/app/base.js — getPathnameFromRequest()
  try {
    return decodeURI(pathname);
  } catch (e) {
    this.adapterLogger.error(e.toString());
    return pathname;
  }

• normalizeUrl() (core/util/normalized-url.js) routes decoding through validateAndDecodePathname() (added in v6.3.2, Reject double-encoded URL paths in pathname normalization #16556) and falls back without throwing on a plain decode failure.

So App.match() is the one decode path that still uses an unguarded decodeURI, bypassing both the try/catch pattern and validateAndDecodePathname.

What's the expected result?

A malformed/undecodable request path should resolve to a normal 404 (no matching route), consistent with the graceful fallback already used by getPathnameFromRequest() and normalizeUrl() — not an uncaught URIError/500.

What's the actual result?

decodeURI() throws URIError: URI malformed; the exception escapes the adapter's fetch handler. On @astrojs/cloudflare this surfaces as a worker exception and a 500. User middleware cannot intercept it because it is thrown before the render pipeline runs.

Link to Minimal Reproducible Example

Any deployment with an on-demand (prerender = false) route reproduces it. Against such a deployment:

curl -i 'https://<your-site>/..%C0%AF.env'
# → 500 + "URIError: URI malformed" in adapter/worker logs

(Observed in production from automated .env scanners against an @astrojs/cloudflare Worker.)

Participation

• I am willing to submit a pull request for this issue.

Suggested fix

Wrap the decodeURI calls in App.match() the same way getPathnameFromRequest() already does (or route them through validateAndDecodePathname with a graceful fallback), so a decode failure yields "no match" → 404 rather than an uncaught throw. Happy to open a PR mirroring the existing try/catch pattern.

[astrobot-houston]

• Reproduced: Yes
• Exploration: Yes — View branch
• Unit Test: Yes — packages/astro/test/units/app/malformed-uri.test.ts
• Priority: P3: minor bug. This affects any SSR site receiving requests with malformed percent-encoded paths (e.g. %C0%AF), which is common from automated scanners. It produces 500s instead of 404s, but only for invalid/attack traffic — normal user requests are unaffected. The @astrojs/node standalone adapter already has a separate guard that masks the issue.

Three decodeURI() calls in packages/astro/src/core/app/base.ts (match() at lines 294 and 306, render() at line 447) lack the try/catch guard that exists everywhere else in the codebase. When a request path contains percent-encoded bytes that aren't valid UTF-8 (e.g. %C0%AF), decodeURI() throws URIError, which propagates uncaught through adapters (Cloudflare, Netlify, Vercel, Node middleware mode) and surfaces as a 500 instead of a 404. The same file already has the correct pattern in getPathnameFromRequest() — this was an oversight when decodeURI was moved into match() in PR #13303.

I found a potential fix for this issue. The fix wraps the decodeURI calls in match() and render() with try/catch — in match(), decoding is done once into a local variable and returns undefined (404) immediately on failure; in render(), the domain-pathname fallback silently skips on decode failure. All 222 existing app unit tests pass, plus 5 new test cases covering malformed sequences.

Try this fix

You can test this fix right now without waiting for a release:

npm i https://pkg.pr.new/astro@e34c164

If this fixes your issue, please leave a comment letting us know (e.g. "confirmed, this fixes it"). We'll then open a pull request to get this merged.

Full Triage Report

Triage Report: Issue #16916

Issue Details

Title: App.match() uses unguarded decodeURI — malformed request path throws uncaught URIError (500) in on-demand adapters

URL: #16916

Author: timveil

Created: 2026-05-30

Labels: needs triage

Description

App.match() in core/app/base.ts calls decodeURI() without try/catch in three places. If the request path contains a percent-sequence that is not valid UTF-8 (e.g., %C0%AF — an overlong UTF-8 encoding of /, commonly sent by automated path-traversal scanners), decodeURI() throws URIError: URI malformed.

On-demand adapters call App.match() directly per request. Because the throw happens before app.render(), it cannot be caught by user middleware. The result is an uncaught exception → HTTP 500 instead of a normal 404.

Expected Result

A malformed/undecodable request path should resolve to a normal 404 (no matching route), consistent with the graceful fallback already used by getPathnameFromRequest() and normalizeUrl().

Actual Result

decodeURI() throws URIError: URI malformed; the exception escapes the adapter's fetch handler, causing a 500 error.

Environment

• Astro version: v6.4.2 (issue report); current main branch (reproduction)
• Node.js: v24.15.0
• Package Manager: pnpm
• Adapters affected: All on-demand SSR adapters (Cloudflare, Node, etc.)
  • Note: @astrojs/node standalone mode has a separate guard in standalone.ts that catches this before App.match(), but the core bug remains

Reproduction

Status: ✅ REPRODUCED

Steps to Reproduce

1. Build any Astro project with output: 'server' (SSR / on-demand rendering)
2. Call App.match() with a Request whose URL contains a malformed percent-encoded path like %C0%AF
3. Example: app.match(new Request('http://example.com/..%C0%AF.env'))

Error Output

URIError: URI malformed
    at decodeURI (<anonymous>)
    at MyApp.match (file:///.../_virtual_astro_legacy-ssr-entry_HsI_S0Ci.mjs:9425:48)

Root Cause

The bug is a missing error guard on three decodeURI() calls in packages/astro/src/core/app/base.ts:

Line	Method	Has try/catch?
271	getPathnameFromRequest()	✅ Yes
294	match()	❌ No
306	match()	❌ No
447	render()	❌ No

The unguarded calls were introduced as a side effect of PR #13303 (fixing double encoding during route matching). The rest of the codebase consistently guards decodeURI with try/catch.

Fix

File: packages/astro/src/core/app/base.ts

• match(): Decode once into a decodedPathname variable with try/catch; return undefined (404) immediately on URIError.
• render(): Wrap the domain-pathname decodeURI in try/catch; leave routeData unset on failure.

Unit Test: packages/astro/test/units/app/malformed-uri.test.ts — 5 test cases covering %C0%AF, %FE, %FF, %C0, and valid URLs. Verified to fail without the fix and pass with it.

Changeset: .changeset/fix-malformed-uri-match.md — patch bump for astro.

This report was made by an LLM. The analysis may be wrong, and the potential fix might not work, but is intended as a starting point for exploring the issue.