Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-fvmw-cj7j-j39q: Astro Cloudflare adapter has Stored Cross Site Scripting vulnerability in /_image endpoint

Summary

When using Astro’s Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections.

Details

On-demand rendered sites built with Astro include an /_image endpoint for image optimization. While this endpoint is designed to restrict processing to local images and authorized remote domains (configured via image.domains or image.remotePatterns), a critical vulnerability exists in the underlying validation logic.

The isRemoteAllowed() function in packages/internal-helpers/src/remote.ts (lines 128-131) unconditionally allows ALL data: protocol URLs without any validation or sanitization. When combined with SVG images containing JavaScript, this creates a vector for XSS attacks.

Vulnerable Code:

/packages/ packages/internal-helpers/src/remote.ts lines 128-131
if (url.protocol === 'data:') {
    return true;  // ← Unconditionally allows ALL data: URLs!
}

The vulnerability manifests differently depending on the image endpoint implementation:

  • Safe implementation: Server processes SVG and converts to raster format (PNG/JPEG), removing JavaScript
  • Vulnerable implementation: Server redirects browser to raw SVG data URL, allowing JavaScript execution

PoC

  1. Create a new minimal Astro project (astro@latest)

  2. Configure it to use the Cloudflare adapter (@astrojs/cloudflare@12.6.10)

  3. Deploy to Cloudflare Pages or Workers.

  4. Write page to load SVG Image like : SVG XSS Payload

  5. Open directly the SVG file to show an alert (in read scenarios, the apps that use the framework will use CDN for example, to load SVG, depending that the framework is secure)

Impact

  1. Stored XSS: Malicious URLs can be crafted to execute JavaScript in victim’s browser
  2. Session Hijacking: JavaScript can access cookies and session tokens
  3. Account Takeover: Combined with CSRF, can perform unauthorized actions
  4. Data Exfiltration: Sensitive information can be stolen and sent to attacker-controlled servers

References

ghsa
Open in Source
#xss#csrf#vulnerability#ios#js#git#java#wordpress#auth

Summary

When using Astro’s Cloudflare adapter (@astrojs/cloudflare) with output: 'server’, the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections.

Details

On-demand rendered sites built with Astro include an /_image endpoint for image optimization. While this endpoint is designed to restrict processing to local images and authorized remote domains (configured via image.domains or image.remotePatterns), a critical vulnerability exists in the underlying validation logic.

The isRemoteAllowed() function in packages/internal-helpers/src/remote.ts (lines 128-131) unconditionally allows ALL data: protocol URLs without any validation or sanitization. When combined with SVG images containing JavaScript, this creates a vector for XSS attacks.

Vulnerable Code:

/packages/ packages/internal-helpers/src/remote.ts lines 128-131 if (url.protocol === ‘data:’) { return true; // ← Unconditionally allows ALL data: URLs! }

The vulnerability manifests differently depending on the image endpoint implementation:

  • Safe implementation: Server processes SVG and converts to raster format (PNG/JPEG), removing JavaScript
  • Vulnerable implementation: Server redirects browser to raw SVG data URL, allowing JavaScript execution

PoC

  1. Create a new minimal Astro project (astro@latest)

  2. Configure it to use the Cloudflare adapter (@astrojs/cloudflare@12.6.10)

  3. Deploy to Cloudflare Pages or Workers.

  4. Write page to load SVG Image like : SVG XSS Payload

  5. Open directly the SVG file to show an alert (in read scenarios, the apps that use the framework will use CDN for example, to load SVG, depending that the framework is secure)

Impact

  1. Stored XSS: Malicious URLs can be crafted to execute JavaScript in victim’s browser
  2. Session Hijacking: JavaScript can access cookies and session tokens
  3. Account Takeover: Combined with CSRF, can perform unauthorized actions
  4. Data Exfiltration: Sensitive information can be stolen and sent to attacker-controlled servers

References

  • Vulnerable Function: packages/internal-helpers/src/remote.ts lines 128-131
  • Similar Vulnerability:: https://dailycve.com/wordpress-stored-xss-via-svg-upload-cve-2025-2575-medium/

References

  • GHSA-fvmw-cj7j-j39q
  • https://nvd.nist.gov/vuln/detail/CVE-2025-65019
  • withastro/astro@9e9c528

ghsa: Latest News

GHSA-2jm2-2p35-rp3j: OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter
ghsa