astro 6.4.7 → 6.4.8

package/dist/cli/infra/build-time-astro-version-provider.js

@@ -1,6 +1,6 @@
 class BuildTimeAstroVersionProvider {
   // Injected during the build through esbuild define
-  version = "6.4.7";
+  version = "6.4.8";
 }
 export {
   BuildTimeAstroVersionProvider

package/dist/content/content-layer.js

@@ -197,7 +197,7 @@ ${contentConfig.error.message}`
       logger.info("Content config changed");
       shouldClear = true;
     }
-    if (previousAstroVersion && previousAstroVersion !== "6.4.7") {
+    if (previousAstroVersion && previousAstroVersion !== "6.4.8") {
       logger.info("Astro version changed");
       shouldClear = true;
     }
@@ -205,8 +205,8 @@ ${contentConfig.error.message}`
       logger.info("Clearing content store");
       this.#store.clearAll();
     }
-    if ("6.4.7") {
-      this.#store.metaStore().set("astro-version", "6.4.7");
+    if ("6.4.8") {
+      this.#store.metaStore().set("astro-version", "6.4.8");
     }
     if (currentConfigDigest) {
       this.#store.metaStore().set("content-config-digest", currentConfigDigest);

package/dist/core/constants.js

@@ -1,4 +1,4 @@
-const ASTRO_VERSION = "6.4.7";
+const ASTRO_VERSION = "6.4.8";
 const ASTRO_GENERATOR = `Astro v${ASTRO_VERSION}`;
 const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
 const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";

package/dist/core/dev/dev.js

@@ -37,7 +37,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "6.4.7";
+  const currentVersion = "6.4.8";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/fetch/fetch-state.d.ts

@@ -134,6 +134,12 @@ export declare class FetchState implements AstroFetchState {
     status: number;
     /** Whether user middleware should be skipped for this request. */
     skipMiddleware: boolean;
+    /**
+     * Set to `true` when the request path was encoded too many times to fully
+     * decode (see {@link validateAndDecodePathname}). These requests are
+     * rejected with a `400` before middleware or routing run.
+     */
+    invalidEncoding: boolean;
     /** A flag that tells the render content if the rewriting was triggered. */
     isRewriting: boolean;
     /** A safety net in case of loops (rewrite counter). */

package/dist/core/fetch/fetch-state.js

@@ -29,7 +29,7 @@ import { getParams, getProps } from "../render/index.js";
 import { Rewrites } from "../rewrites/handler.js";
 import { isRoute404or500, isRouteServerIsland } from "../routing/match.js";
 import { normalizeUrl } from "../util/normalized-url.js";
-import { validateAndDecodePathname } from "../util/pathname.js";
+import { MultiLevelEncodingError, validateAndDecodePathname } from "../util/pathname.js";
 import { getOriginPathname, setOriginPathname } from "../routing/rewrite.js";
 import { computePathnameFromDomain } from "../i18n/domain.js";
 import { getCustom404Route, routeHasHtmlExtension } from "../routing/helpers.js";
@@ -88,6 +88,12 @@ class FetchState {
   status = 200;
   /** Whether user middleware should be skipped for this request. */
   skipMiddleware = false;
+  /**
+   * Set to `true` when the request path was encoded too many times to fully
+   * decode (see {@link validateAndDecodePathname}). These requests are
+   * rejected with a `400` before middleware or routing run.
+   */
+  invalidEncoding = false;
   /** A flag that tells the render content if the rewriting was triggered. */
   isRewriting = false;
   /** A safety net in case of loops (rewrite counter). */
@@ -681,6 +687,10 @@ class FetchState {
     try {
       return validateAndDecodePathname(pathname);
     } catch (e) {
+      if (e instanceof MultiLevelEncodingError) {
+        this.invalidEncoding = true;
+        return pathname;
+      }
       this.pipeline.logger.error(null, e.toString());
       return pathname;
     }

package/dist/core/i18n/handler.js

@@ -47,7 +47,7 @@ class I18n {
     if (typeHeader !== "page" && typeHeader !== "fallback") {
       return response;
     }
-    const url = new URL(state.request.url);
+    const url = state.url;
     const currentLocale = state.computeCurrentLocale();
     const isPrerendered = state.routeData.prerender;
     const routerContext = {

package/dist/core/messages/runtime.js

@@ -276,7 +276,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"6.4.7"}`
+        `v${"6.4.8"}`
       )} ${headline}`
     );
   }

package/dist/core/routing/handler.js

@@ -65,6 +65,9 @@ class AstroHandler {
   }
   async handle(state) {
     state.pipeline.usedFeatures |= ALL_PIPELINE_FEATURES;
+    if (state.invalidEncoding) {
+      return new Response(null, { status: 400, statusText: "Bad Request" });
+    }
     const trailingSlashRedirect = this.#trailingSlashHandler.handle(state);
     if (trailingSlashRedirect) {
       return trailingSlashRedirect;

package/dist/core/routing/rewrite.js

@@ -10,6 +10,7 @@ import {
   trimSlashes
 } from "../path.js";
 import { createRequest } from "../request.js";
+import { validateAndDecodePathname } from "../util/pathname.js";
 import { DEFAULT_404_ROUTE } from "./internal/astro-designed-error-pages.js";
 import { isRoute404, isRoute500 } from "./internal/route-errors.js";
 function findRouteToRewrite({
@@ -36,7 +37,7 @@ function findRouteToRewrite({
     buildFormat
   );
   newUrl.pathname = resolvedUrlPathname;
-  const decodedPathname = decodeURI(pathname);
+  const decodedPathname = validateAndDecodePathname(pathname);
   if (isRoute404(decodedPathname)) {
     const errorRoute = routes.find((route) => route.route === "/404");
     if (errorRoute) {

package/dist/core/util/pathname.d.ts

@@ -1,25 +1,26 @@
 /**
- * Error thrown when multi-level URL encoding is detected in a pathname.
- * This is a distinct error type so callers can handle it specifically
- * (e.g., returning a 400 response) rather than falling back to partial decoding.
- *
- * @deprecated No longer thrown internally — multi-level encoding is now
- * decoded iteratively instead of rejected. Kept for backwards compatibility
- * in case third-party code references the class.
+ * Thrown when a URL path is encoded so many times that we give up decoding it
+ * (see {@link validateAndDecodePathname}). When this happens we reject the
+ * request with a `400` instead of guessing the path. If we let a half-decoded
+ * path through, your middleware might check one path while Astro routes to a
+ * different one.
  */
 export declare class MultiLevelEncodingError extends Error {
     constructor();
 }
 /**
- * Decodes a pathname iteratively until stable, collapsing all levels of
- * percent-encoding into a single canonical form. This prevents
- * double/triple encoding from bypassing middleware authorization checks
- * (CVE-2025-66202) — instead of rejecting multi-level encoding, we
- * fully resolve it so middleware always sees the true decoded path.
+ * Decodes a URL path over and over until it stops changing, so a path that was
+ * encoded several times ends up as a single, final path. This stops someone
+ * from sneaking a path like `/admin` past middleware by encoding it multiple
+ * times — middleware always sees the real, decoded path.
  *
- * @param pathname - The pathname to decode
- * @returns The fully decoded pathname
- * @throws Error if the pathname contains invalid URL encoding that
- *   cannot be decoded at all (e.g., a bare `%` not followed by hex digits)
+ * @param pathname - The path to decode
+ * @returns The final, fully decoded path
+ * @throws Error if the path has broken encoding that can't be decoded at all
+ *   (for example a lone `%` that isn't followed by two hex digits)
+ * @throws MultiLevelEncodingError if the path is still changing after
+ *   {@link MAX_DECODE_ITERATIONS} tries (it was encoded too many times).
+ *   Handing back a half-decoded path here would bring back the security hole
+ *   this function exists to close.
  */
 export declare function validateAndDecodePathname(pathname: string): string;

package/dist/core/util/pathname.js

@@ -1,9 +1,10 @@
 class MultiLevelEncodingError extends Error {
   constructor() {
-    super("Multi-level URL encoding is not allowed");
+    super("URL encoding depth exceeded the maximum number of decode iterations");
     this.name = "MultiLevelEncodingError";
   }
 }
+const MAX_DECODE_ITERATIONS = 10;
 function validateAndDecodePathname(pathname) {
   let decoded;
   try {
@@ -12,7 +13,10 @@ function validateAndDecodePathname(pathname) {
     throw new Error("Invalid URL encoding");
   }
   let iterations = 0;
-  while (decoded !== pathname && iterations < 10) {
+  while (decoded !== pathname) {
+    if (iterations >= MAX_DECODE_ITERATIONS) {
+      throw new MultiLevelEncodingError();
+    }
     pathname = decoded;
     try {
       decoded = decodeURI(pathname);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro",
-  "version": "6.4.7",
+  "version": "6.4.8",
   "description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
   "type": "module",
   "author": "withastro",
@@ -166,8 +166,8 @@
     "yargs-parser": "^22.0.0",
     "zod": "^4.3.6",
     "@astrojs/internal-helpers": "0.10.0",
-    "@astrojs/markdown-remark": "7.2.0",
-    "@astrojs/telemetry": "3.3.2"
+    "@astrojs/telemetry": "3.3.2",
+    "@astrojs/markdown-remark": "7.2.0"
   },
   "optionalDependencies": {
     "sharp": "^0.34.0"