CVE-2025-55303 Unauthorized third-party images in Astro’s _image endpoint

Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include a...

CVE-2025-55303 Unauthorized third-party images in Astro’s _image endpoint

Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include a...

CVE-2025-55303

Astro before 5.13.2 and 4.16.18 has an information disclosure vulnerability in the on-demand rendering image optimization endpoint (_image) that can bypass third-party domain restrictions using protocol-relative URLs (e.g., /_image?href=//example.com/image.png). This allows serving images from un...

CVE-2025-55303 Unauthorized third-party images in Astro’s _image endpoint

Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include a...

CVE-2025-38603

Removed by vendor...

CVE-2025-38598 drm/amdgpu: fix use-after-free in amdgpu_userq_suspend+0x51a/0x5a0

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free in amdgpuuserqsuspend+0x51a/0x5a0 +0.000020 BUG: KASAN: slab-use-after-free in amdgpuuserqsuspend+0x51a/0x5a0 amdgpu +0.000817 Read of size 8 at addr ffff88812eec8c58 by task amdpciunplug/1733...

CVE-2025-38596

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF in panthorgemcreatewithhandle debugfs code The object is potentially already gone after the drmgemobjectput. In general the object should be fully constructed before calling drmgemhandlecreate, except the...

CVE-2025-54880 Mermaid does not properly sanitize architecture diagram iconText leading to XSS

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html...

Cross-site Scripting (XSS)

Overview @astrojs/internal-helpers is an Internal helpers used by core Astro packages. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the /image endpoint. An attacker can cause loading of unauthorized third-party images, including potentially malicious SVG files,...

Cross-site Scripting (XSS)

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the /image endpoint. An attacker can cause loading of unauthorized third-party images, including...

GHSA-XF8X-J4P2-F749 Astro allows unauthorized third-party images in _image endpoint

Summary In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. Details On-demand rendered sites built with Astro include an /image endpoint which returns optimized versions of...

Astro allows unauthorized third-party images in _image endpoint

Summary In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. Details On-demand rendered sites built with Astro include an /image endpoint which returns optimized versions of...

CLSA-2025-1755603149 Fix of 5 CVEs

OpenJDK 8u462 release - CVE-2025-30749: Java 2D heap corruption, code execution/DoS - CVE-2025-30754: JSSE TLS handshake flaw, weakened encryption - CVE-2025-30761: nashorn sandbox bypass, code execution - CVE-2025-50059: HTTP client header bug, data leak - CVE-2025-50106: Glyph rendering memory...

PT-2025-33795

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: The Linux kernel contains a flaw within the DRM/rockchip subsystem, specifically related to vop2 handling. The code does not verify the existence of a primary plane after iterating...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that originates in the drm/panthor module in the panthorgemcreatewithhandle function that could lead to post-release reuse...

PT-2025-33794 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: The Linux kernel contains a use-after-free issue within the panthor gem create with handle function related to debugfs code. The vulnerability occurs because an object may be released...

PT-2025-33828

Name of the Vulnerable Software and Affected Versions: Astro versions prior to 5.13.2 Astro versions prior to 4.16.18 Description: Astro is a web framework for content-driven websites. The image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized...

Linux Distros Unpatched Vulnerability : CVE-2025-38356

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Explicitly exit CT safe mode on unwind During driver probe we might be briefly...

CVE-2025-55214

CVE-2025-55214 (Copier) : A directory traversal vulnerability affects Copier libraries and CLI from version 7.1.0 up to, but not including, 9.9.1. When using a safe template, an attacker could cause files to be written outside the destination path by exploiting the template rendering of a generat...

CVE-2025-55201

CVE-2025-55201 concerns the Copier library/CLI used for rendering project templates. Prior to version 9.9.1, the template rendering context exposes certain pathlib.Path objects in Jinja with unconstrained I/O methods, enabling a safe template to read and write arbitrary files on the filesystem an...