Description
In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0-alpha.0, < 5.13.2 <= 4.16.18** Patched version(s): **5.13.2 4.16.19**
References
Related Issues
- Astro allows unauthorized third-party images in _image endpoint (GHSA-xf8x-j4p2-f749) - CVE-2025-55303
- Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
- Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter - CVE-2025-58179
- Astro's bypass of image proxy domain validation leads to SSRF and potential XSS - CVE-2025-59837
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 27, 2025