Astro allows unauthorized third-party images in _image endpoint - @astrojs/node

Severity:: Medium

Description

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Recommendation

Update the @astrojs/node package to the latest compatible version. Followings are version details:

Affected version(s): <= 9.1.0
Patched version(s): 9.1.1

References

GHSA-xf8x-j4p2-f749
CVE-2025-55303
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Astro allows unauthorized third-party images in _image endpoint - CVE-2025-55303
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter - CVE-2025-58179
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
@astrojs/node's trailing slash handling causes open redirect issue - CVE-2025-55207

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @astrojs/node

Anything's wrong? Let us know Last updated on November 27, 2025