CVE-2025-55303 Information

Aug 20, 2025 cve

Description

Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18 the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.

Reference

https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820 https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749 https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749

CNNVD-202508-2206 (Published: 2025-08-19)

Share on:

CVE-2025-55303 Information

Description

Reference

Related CNNVD