CVE-2025-64764

HIGH EXPLOITED NUCLEI

Astro < 5.15.8 - Reflected Cross-Site Scripting via Server Islands Feature

Title source: llm

Exploitation Summary

CVE-2025-64764 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.

Nuclei Templates (1)

Astro - Reflected XSS via server islands feature

HIGHVERIFIEDby DhiyaneshDk,zhero___

Shodan: html:"_server-islands"

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723

Patch x_refsource_misc

https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91

View Patch ZIP pw:eip

Scores

CVSS v3 7.1

EPSS 0.0024

EPSS Percentile 48.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2025-12-15

CWE

CWE-80

Status published

Products (2)

astro/astro < 5.15.8

npm/astro 0 - 5.15.8npm

Published Nov 19, 2025

Tracked Since Feb 18, 2026