CVE-2026-41321

Summary: CVE-2026-41321 affects the @astrojs/cloudflare SSR adapter used with Cloudflare Workers. Before version 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior, allowing redirects to...

@anyauth/design-system (>=0.5.0 <=0.5.1), @anyauth/shared-deps (=0.1.0) +21 more potentially affected by CVE-2026-41321 via @astrojs/cloudflare (>=10.4.2 <=12.6.13)

@astrojs/cloudflare NPM version =10.4.2, =0.5.0, =1.0.10, =1.1.0, =4.3.2, =1.11.0, =0.0.0-add-workerconfig-to-context--20250905094004-b98e1fec-20250905074005, =0.1.0, =3.0.0, =1.1.0, =0.1.2, =1.0.1, =1.0.4 and more Source cves: CVE-2026-41321 Source advisory: OSV:GHSA-88GM-J2WX-58H6...

@astrojs/cloudflare (>=13.0.0-beta.4 <=13.0.0-beta.14), @astrojs/markdoc (>=1.0.0-beta.7 <=1.0.0-beta.15) +8 more potentially affected by CVE-2026-33769 via @astrojs/internal-helpers (>=0.8.0-beta.0 <=0.8.0-beta.3)

@astrojs/internal-helpers NPM version =0.8.0-beta.0, =13.0.0-beta.4, =1.0.0-beta.7, =7.0.0-beta.4, =5.0.0-beta.4, =7.0.0-beta.6, =10.0.0-beta.1, =10.0.0-beta.1, =6.0.0-beta.7, =6.0.0-beta.20 Source cves: CVE-2026-33769 Source advisory: SNYK:JS-ASTROJSINTERNALHELPERS-15763364...

Server-side Request Forgery

astrojs/cloudflare is vulnerable to Server-side Request Forgery. The vulnerability is due to insufficient URL validation in the generated image optimization endpoint when the adapter is used with output: 'server' and the default imageService: 'compile', an attacker can exploit this to have the...