Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4)
- Severity:
- Low
Description
The fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts (line 28) uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL.
Recommendation
Update the @astrojs/cloudflare package to the latest compatible version. Followings are version details:
- Affected version(s): < 13.1.10
- Patched version(s): 13.1.10
References
Related Issues
- nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) - CVE-2026-44589
- Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter - CVE-2025-58179
- PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - CVE-2026-41305
- Parse Dashboard has incomplete authentication on AI Agent endpoint - CVE-2026-27595
You might also like:
- Tags:
- npm
- @astrojs/cloudflare
Anything's wrong? Let us know Last updated on April 27, 2026