Description
In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
Affected version(s): **<= 4.16.18 >= 5.0.0-alpha.0, <= 5.13.0** Patched version(s): **4.16.19 5.13.2**
References
Related Issues
- Astros's duplicate trailing slash feature leads to an open redirection security issue - CVE-2025-54793
- Atro CSRF Middleware Bypass (security.checkOrigin) - CVE-2024-56140
- DOM Clobbering Gadget found in astro's client-side router that leads to XSS - CVE-2024-47885
- Joplin Cross-site Scripting vulnerability (GHSA-7grw-xfx6-qhx6) - CVE-2023-37298
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on August 19, 2025