4 matches found
Astro Cloudflare Adapter - Server Side Request Forgery
Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...
EUVD-2025-198182
Astro Cloudflare adapter has Stored Cross Site Scripting vulnerability in /image endpoint...
GHSA-FVMW-CJ7J-J39Q Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
Summary A Cross-Site Scripting XSS vulnerability exists in Astro when using the @astrojs/cloudflare adapter with output: 'server'. The built-in image optimization endpoint /image uses isRemoteAllowed from Astro’s internal helpers, which unconditionally allows data: URLs. When the endpoint receive...
CVE-2025-65019
Astro CVE-2025-65019 affects the Cloudflare adapter when using output: 'server'. The image optimization endpoint /_image unconditionally allows data: URLs via isRemoteAllowed(), enabling XSS through malicious SVG payloads that the browser can execute after a 302 redirect. Affected components: @as...