3 matches found
CVE-2026-41321
Summary: CVE-2026-41321 affects the @astrojs/cloudflare SSR adapter used with Cloudflare Workers. Before version 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior, allowing redirects to...
@astrojs/cloudflare (>=13.0.0-beta.4 <=13.0.0-beta.14), @astrojs/markdoc (>=1.0.0-beta.7 <=1.0.0-beta.15) +8 more potentially affected by CVE-2026-33769 via @astrojs/internal-helpers (>=0.8.0-beta.0 <=0.8.0-beta.3)
@astrojs/internal-helpers NPM version =0.8.0-beta.0, =13.0.0-beta.4, =1.0.0-beta.7, =7.0.0-beta.4, =5.0.0-beta.4, =7.0.0-beta.6, =10.0.0-beta.1, =10.0.0-beta.1, =6.0.0-beta.7, =6.0.0-beta.20 Source cves: CVE-2026-33769 Source advisory: SNYK:JS-ASTROJSINTERNALHELPERS-15763364...
Server-side Request Forgery
astrojs/cloudflare is vulnerable to Server-side Request Forgery. The vulnerability is due to insufficient URL validation in the generated image optimization endpoint when the adapter is used with output: 'server' and the default imageService: 'compile', an attacker can exploit this to have the...