CVE-2025-65019

Medium CVSS: 5.4

Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9.

Vendor

Astro

Product

Astro

CWE

CWE-79

Yayın Tarihi

2025-11-19 17:15:53

Güncelleme

2025-11-25 15:09:57

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Astro MEDIUM Astro 2025

Referanslar

https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533 https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q

Benzer Kayıtlar

Medium

CVE-2026-33768

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path head…

Low

CVE-2026-33769

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path…

Medium

CVE-2026-29772

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full reque…

Medium

CVE-2026-27829

Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domai…

Medium

CVE-2026-27729

Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit,…

Medium

CVE-2026-25545

Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered cus…