Astro allows unauthorized third-party images in _image endpoint (GHSA-xf8x-j4p2-f749)

Severity:: Medium

Description

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Recommendation

Update the @astrojs/node package to the latest compatible version. Followings are version details:

Affected version(s): <= 9.1.0
Patched version(s): 9.1.1

References

GHSA-xf8x-j4p2-f749
CVE-2025-55303
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Astro allows unauthorized third-party images in _image endpoint - CVE-2025-55303
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter - CVE-2025-58179
AngularJS allows attackers to bypass common image source restrictions (GHSA-mqm9-c95h-x2p6) - CVE-2024-8373

Tags:: npm; @astrojs/node

Anything's wrong? Let us know Last updated on November 27, 2025