Astro allows unauthorized third-party images in _image endpoint (GHSA-xf8x-j4p2-f749)
- Severity:
- Medium
Description
In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.
Recommendation
Update the @astrojs/node package to the latest compatible version. Followings are version details:
- Affected version(s): <= 9.1.0
- Patched version(s): 9.1.1
References
Related Issues
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- @astrojs/node's trailing slash handling causes open redirect issue - CVE-2025-55207
- Astros's duplicate trailing slash feature leads to an open redirection security issue - CVE-2025-54793
- A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA - CVE-2023-33831
- Tags:
- npm
- @astrojs/node
Anything's wrong? Let us know Last updated on August 19, 2025