Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
- Severity:
- Medium
Description
Summary
A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the @astrojs/cloudflare adapter with output: 'server'. The built-in image optimization endpoint (/_image) uses isRemoteAllowed() from Astro’s internal helpers, which unconditionally allows data: URLs.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.15.9
- Patched version(s): 5.15.9
References
Related Issues
- Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values - CVE-2025-64765
- Astro allows unauthorized third-party images in _image endpoint - CVE-2025-55303
- Astros's duplicate trailing slash feature leads to an open redirection security issue - CVE-2025-54793
- Astro's server source code is exposed to the public if sourcemaps are enabled - CVE-2024-56159
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 27, 2025