Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
- Severity:
- Medium
Description
Summary
A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the @astrojs/cloudflare adapter with output: 'server'. The built-in image optimization endpoint (/_image) uses isRemoteAllowed() from Astro’s internal helpers, which unconditionally allows data: URLs.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.15.9
- Patched version(s): 5.15.9
References
Related Issues
- Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints - CVE-2025-68273
- Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 - CVE-2025-66202
- Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values - CVE-2025-64765
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 27, 2025