Description
In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0-alpha.0, < 5.13.2 <= 4.16.18** Patched version(s): **5.13.2 4.16.19**
References
Related Issues
- Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Astros's duplicate trailing slash feature leads to an open redirection security issue - CVE-2025-54793
- Astro's server source code is exposed to the public if sourcemaps are enabled - CVE-2024-56159
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 27, 2025