CVE-2025-55303
August 19, 2025
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
Affected Packages
astro (NPM):
Affected version(s) >=5.0.0-alpha.0 <5.13.2Fix Suggestion:
Update to version 5.13.2astro (NPM):
Affected version(s) >=0.0.0-i18n-routing-20231101144500 <4.16.19Fix Suggestion:
Update to version 4.16.19@astrojs/node (NPM):
Affected version(s) >=0.0.0-rc-20220721064837 <9.1.1Fix Suggestion:
Update to version 9.1.1Related ResourcesĀ (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
EPSS
Base Score:
0.13
