Expand intel coverage and refresh monitoring

07-framework-security/frameworks/astro/cases/astro-cve-2024-47885.md

@@ -0,0 +1,124 @@
+---
+title: "DOM Clobbering Gadget found in astro's client-side router that leads to XSS"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2024-10-14T20:02:21Z"
+updated_date: "2025-11-27T08:16:37.087731Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2024-47885"
+  - "GHSA-m85w-3h95-hcf9"
+affected_versions:
+  - "introduced=3.0.0, fixed<4.16.1"
+fixed_versions:
+  - "4.16.1"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "dom-sink-hardening"
+  - "plugin-extension-trust-policy"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9"
+---
+
+# DOM Clobbering Gadget found in astro's client-side router that leads to XSS
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2024-47885`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9
+- 影响版本: `introduced=3.0.0, fixed<4.16.1`
+- 修复版本: `4.16.1`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-47885
+- https://github.com/withastro/astro/commit/a4ffbfaa5cb460c12bd486fd75e36147f51d3e5e
+- https://github.com/withastro/astro
+- https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dom-sink-hardening.md)
+- [nodejs:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/nodejs/dom-sink-hardening.md)
+- [java:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/java/dom-sink-hardening.md)
+- [php:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/php/dom-sink-hardening.md)
+- [python:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/python/dom-sink-hardening.md)
+- [ruby:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/ruby/dom-sink-hardening.md)
+- [csharp:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/csharp/dom-sink-hardening.md)
+- [go:dom-sink-hardening](/Users/x/websafe/05-defense/secure-code/go/dom-sink-hardening.md)
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/frameworks/astro/cases/astro-cve-2024-56140.md

@@ -0,0 +1,116 @@
+---
+title: "Atro CSRF Middleware Bypass (security.checkOrigin)"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2024-12-18T15:02:37Z"
+updated_date: "2025-11-27T08:18:05.038082Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2024-56140"
+  - "GHSA-c4pw-33h3-35xw"
+affected_versions:
+  - "introduced=0, fixed<4.16.17"
+fixed_versions:
+  - "4.16.17"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw"
+---
+
+# Atro CSRF Middleware Bypass (security.checkOrigin)
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2024-56140`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-c4pw-33h3-35xw
+- 影响版本: `introduced=0, fixed<4.16.17`
+- 修复版本: `4.16.17`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-56140
+- https://github.com/withastro/astro/commit/e7d14c374b9d45e27089994a4eb72186d05514de
+- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
+- https://github.com/withastro/astro
+- https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)

07-framework-security/frameworks/astro/cases/astro-cve-2024-56159.md

@@ -0,0 +1,102 @@
+---
+title: "Astro's server source code is exposed to the public if sourcemaps are enabled"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2024-12-19T15:12:33Z"
+updated_date: "2025-11-27T08:18:38.026555Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2024-56159"
+  - "GHSA-49w6-73cw-chjr"
+affected_versions:
+  - "introduced=5.0.0-alpha.0, fixed<5.0.8"
+  - "introduced=0, fixed<4.16.18"
+fixed_versions:
+  - "5.0.8"
+  - "4.16.18"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr"
+---
+
+# Astro's server source code is exposed to the public if sourcemaps are enabled
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2024-56159`
+- 系统: `astro`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr
+- 影响版本: `introduced=5.0.0-alpha.0, fixed<5.0.8, introduced=0, fixed<4.16.18`
+- 修复版本: `5.0.8, 4.16.18`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2024-56159
+- https://github.com/withastro/astro/issues/12703
+- https://github.com/withastro/astro/commit/039d022b1bbaacf9ea83071d27affc5318e0e515
+- https://github.com/withastro/astro/commit/c879f501ff01b1a3c577de776a1f7100d78f8dd5
+- https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50
+- https://github.com/withastro/astro
+- https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-54793.md

@@ -0,0 +1,87 @@
+---
+title: "Astros's duplicate trailing slash feature leads to an open redirection security issue"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-08-07T16:41:55Z"
+updated_date: "2025-11-27T08:35:13.558198Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-54793"
+  - "GHSA-cq8c-xv66-36gw"
+affected_versions:
+  - "introduced=5.2.0, fixed<5.12.8"
+fixed_versions:
+  - "5.12.8"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw"
+---
+
+# Astros's duplicate trailing slash feature leads to an open redirection security issue
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-54793`
+- 系统: `astro`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw
+- 影响版本: `introduced=5.2.0, fixed<5.12.8`
+- 修复版本: `5.12.8`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-54793
+- https://github.com/withastro/astro/commit/0567fb7b50c0c452be387dd7c7264b96bedab48f
+- https://github.com/withastro/astro
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-55303.md

@@ -0,0 +1,100 @@
+---
+title: "Astro allows unauthorized third-party images in _image endpoint"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-08-19T15:40:31Z"
+updated_date: "2025-11-27T08:22:36.525875Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-55303"
+  - "GHSA-xf8x-j4p2-f749"
+affected_versions:
+  - "introduced=5.0.0-alpha.0, fixed<5.13.2"
+  - "introduced=0, fixed<9.1.1"
+  - "introduced=0, fixed<4.16.19"
+fixed_versions:
+  - "5.13.2"
+  - "9.1.1"
+  - "4.16.19"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749"
+---
+
+# Astro allows unauthorized third-party images in _image endpoint
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-55303`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749
+- 影响版本: `introduced=5.0.0-alpha.0, fixed<5.13.2, introduced=0, fixed<9.1.1, introduced=0, fixed<4.16.19`
+- 修复版本: `5.13.2, 9.1.1, 4.16.19`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-55303
+- https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820
+- https://github.com/withastro/astro
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-59837.md

@@ -0,0 +1,115 @@
+---
+title: "Astro's bypass of image proxy domain validation leads to SSRF and potential XSS"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-10-28T17:45:04Z"
+updated_date: "2025-10-29T14:48:45Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-59837"
+  - "GHSA-qcpr-679q-rhm2"
+affected_versions:
+  - "introduced=5.13.4, fixed<5.13.10"
+fixed_versions:
+  - "5.13.10"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "ssrf-url-validation"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2"
+---
+
+# Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-59837`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
+- 影响版本: `introduced=5.13.4, fixed<5.13.10`
+- 修复版本: `5.13.10`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-59837
+- https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
+- https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
+- https://github.com/withastro/astro
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-61925.md

@@ -0,0 +1,97 @@
+---
+title: "Astro's `X-Forwarded-Host` is reflected without validation"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-10-10T23:41:29Z"
+updated_date: "2025-10-11T00:12:31.565977Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-61925"
+  - "GHSA-5ff5-9fcw-vg88"
+affected_versions:
+  - "introduced=0, fixed<5.14.3"
+fixed_versions:
+  - "5.14.3"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88"
+---
+
+# Astro's `X-Forwarded-Host` is reflected without validation
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-61925`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88
+- 影响版本: `introduced=0, fixed<5.14.3`
+- 修复版本: `5.14.3`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-61925
+- https://github.com/withastro/astro/commit/6ee63bfac4856f21b4d4633021b3d2ee059e553f
+- https://github.com/Chisnet/minimal_dynamic_astro_server
+- https://github.com/withastro/astro
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-64525.md

@@ -0,0 +1,134 @@
+---
+title: "Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-13T22:46:24Z"
+updated_date: "2025-11-13T22:46:24Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-64525"
+  - "GHSA-hr2q-hp5q-x767"
+affected_versions:
+  - "introduced=2.16.0, fixed<5.15.5"
+fixed_versions:
+  - "5.15.5"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "ssrf-url-validation"
+  - "dependency-upgrade-policy"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767"
+---
+
+# Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-64525`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-hr2q-hp5q-x767
+- 影响版本: `introduced=2.16.0, fixed<5.15.5`
+- 修复版本: `5.15.5`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64525
+- https://github.com/withastro/astro/commit/dafbb1ba29912099c4faff1440033edc768af8b4
+- https://github.com/withastro/astro
+- https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L121
+- https://github.com/withastro/astro/blob/970ac0f51172e1e6bff4440516a851e725ac3097/packages/astro/src/core/app/node.ts#L97
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-64745.md

@@ -0,0 +1,116 @@
+---
+title: "Astro development server error page is vulnerable to reflected Cross-site Scripting"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-13T22:38:30Z"
+updated_date: "2025-11-27T08:22:31.471739Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-64745"
+  - "GHSA-w2vj-39qv-7vh7"
+affected_versions:
+  - "introduced=5.2.0, fixed<5.15.6"
+fixed_versions:
+  - "5.15.6"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7"
+---
+
+# Astro development server error page is vulnerable to reflected Cross-site Scripting
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-64745`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-w2vj-39qv-7vh7
+- 影响版本: `introduced=5.2.0, fixed<5.15.6`
+- 修复版本: `5.15.6`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64745
+- https://github.com/withastro/astro/pull/12994
+- https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91
+- https://github.com/withastro/astro
+- https://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-64757.md

@@ -0,0 +1,105 @@
+---
+title: "Astro Development Server has Arbitrary Local File Read"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-19T19:43:05Z"
+updated_date: "2025-11-20T14:43:59.558170Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-64757"
+  - "GHSA-x3h8-62x9-952g"
+affected_versions:
+  - "introduced=0, fixed<5.14.3"
+fixed_versions:
+  - "5.14.3"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "path-traversal-guard"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g"
+---
+
+# Astro Development Server has Arbitrary Local File Read
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-64757`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g
+- 影响版本: `introduced=0, fixed<5.14.3`
+- 修复版本: `5.14.3`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64757
+- https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7
+- https://github.com/withastro/astro
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/javascript-typescript/path-traversal-guard.md)
+- [nodejs:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/nodejs/path-traversal-guard.md)
+- [java:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/java/path-traversal-guard.md)
+- [php:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/php/path-traversal-guard.md)
+- [python:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/python/path-traversal-guard.md)
+- [ruby:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/ruby/path-traversal-guard.md)
+- [csharp:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/csharp/path-traversal-guard.md)
+- [go:path-traversal-guard](/Users/x/websafe/05-defense/secure-code/go/path-traversal-guard.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-64764.md

@@ -0,0 +1,114 @@
+---
+title: "Astro vulnerable to reflected XSS via the server islands feature"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-19T20:00:14Z"
+updated_date: "2025-11-20T14:43:59.624508Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-64764"
+  - "GHSA-wrwg-2hg8-v723"
+affected_versions:
+  - "introduced=0, fixed<5.15.8"
+fixed_versions:
+  - "5.15.8"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "plugin-extension-trust-policy"
+  - "dependency-upgrade-policy"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723"
+---
+
+# Astro vulnerable to reflected XSS via the server islands feature
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-64764`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723
+- 影响版本: `introduced=0, fixed<5.15.8`
+- 修复版本: `5.15.8`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64764
+- https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91
+- https://github.com/withastro/astro
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-64765.md

@@ -0,0 +1,114 @@
+---
+title: "Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-19T20:03:21Z"
+updated_date: "2026-02-04T03:01:27.986221Z"
+severity: "medium"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-64765"
+  - "GHSA-ggxq-hp9w-j794"
+affected_versions:
+  - "introduced=0, fixed<5.15.8"
+fixed_versions:
+  - "5.15.8"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "plugin-extension-trust-policy"
+  - "dependency-upgrade-policy"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
+---
+
+# Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-64765`
+- 系统: `astro`
+- 严重度: `medium`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794
+- 影响版本: `introduced=0, fixed<5.15.8`
+- 修复版本: `5.15.8`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64765
+- https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce
+- https://github.com/withastro/astro
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-65019.md

@@ -0,0 +1,132 @@
+---
+title: "Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-11-19T20:09:12Z"
+updated_date: "2025-11-27T08:33:26.119485Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-65019"
+  - "GHSA-fvmw-cj7j-j39q"
+affected_versions:
+  - "introduced=0, fixed<5.15.9"
+fixed_versions:
+  - "5.15.9"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "plugin-extension-trust-policy"
+  - "dependency-upgrade-policy"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q"
+---
+
+# Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-65019`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q
+- 影响版本: `introduced=0, fixed<5.15.9`
+- 修复版本: `5.15.9`
+
+## 其他来源
+
+- https://nvd.nist.gov/vuln/detail/CVE-2025-65019
+- https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533
+- https://github.com/withastro/astro
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/plugin-extension-trust-policy.md)
+- [nodejs:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/nodejs/plugin-extension-trust-policy.md)
+- [java:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/java/plugin-extension-trust-policy.md)
+- [php:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/php/plugin-extension-trust-policy.md)
+- [python:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/python/plugin-extension-trust-policy.md)
+- [ruby:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/ruby/plugin-extension-trust-policy.md)
+- [csharp:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/csharp/plugin-extension-trust-policy.md)
+- [go:plugin-extension-trust-policy](/Users/x/websafe/05-defense/secure-code/go/plugin-extension-trust-policy.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)

07-framework-security/frameworks/astro/cases/astro-cve-2025-66202.md

@@ -0,0 +1,98 @@
+---
+title: "Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765"
+system_id: "astro"
+category: "frameworks"
+advisory_mode: "core"
+published_date: "2025-12-08T16:26:43Z"
+updated_date: "2026-02-04T02:27:12.689316Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "official"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2025-66202"
+  - "GHSA-whqg-ppgf-wp8c"
+affected_versions:
+  - "introduced=0, fixed<5.15.8"
+fixed_versions:
+  - "5.15.8"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "csp-trusted-types"
+  - "proxy-trust-boundary"
+primary_source: "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
+---
+
+# Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `astro--CVE-2025-66202`
+- 系统: `astro`
+- 严重度: `low`
+- 来源置信度: `official`
+- 官方主源: https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794
+- 影响版本: `introduced=0, fixed<5.15.8`
+- 修复版本: `5.15.8`
+
+## 其他来源
+
+- https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c
+- https://nvd.nist.gov/vuln/detail/CVE-2025-64765
+- https://nvd.nist.gov/vuln/detail/CVE-2025-66202
+- https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce
+- https://github.com/withastro/astro
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/javascript-typescript/csp-trusted-types.md)
+- [nodejs:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/nodejs/csp-trusted-types.md)
+- [java:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/java/csp-trusted-types.md)
+- [php:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/php/csp-trusted-types.md)
+- [python:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/python/csp-trusted-types.md)
+- [ruby:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/ruby/csp-trusted-types.md)
+- [csharp:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/csharp/csp-trusted-types.md)
+- [go:csp-trusted-types](/Users/x/websafe/05-defense/secure-code/go/csp-trusted-types.md)
+- [javascript-typescript:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/javascript-typescript/proxy-trust-boundary.md)
+- [nodejs:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/nodejs/proxy-trust-boundary.md)
+- [java:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/java/proxy-trust-boundary.md)
+- [php:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/php/proxy-trust-boundary.md)
+- [python:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/python/proxy-trust-boundary.md)
+- [ruby:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/ruby/proxy-trust-boundary.md)
+- [csharp:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/csharp/proxy-trust-boundary.md)
+- [go:proxy-trust-boundary](/Users/x/websafe/05-defense/secure-code/go/proxy-trust-boundary.md)