CVE-2025-55303
BaseFortify
Publication date: 2025-08-19
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| astro | astro | to 4.16.18 (exc) |
| astro | astro | From 5.0.0 (inc) to 5.13.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-115 | The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Astro web framework's image optimization endpoint in versions before 5.13.2 and 4.16.18. The endpoint, used in on-demand rendered sites, is supposed to restrict images served to authorized third-party domains. However, due to a bug, an attacker can bypass these domain restrictions by using a protocol-relative URL (e.g., /_image?href=//example.com/image.png), allowing images from unauthorized third-party domains to be served.
How can this vulnerability impact me? :
This vulnerability can allow attackers to serve images from unauthorized third-party domains through the Astro image optimization endpoint. This could lead to security risks such as content spoofing, phishing, or the delivery of malicious content under the guise of trusted images, potentially undermining user trust and site integrity.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Astro to version 5.13.2 or later, or 4.16.18 or later, where the vulnerability is fixed. Avoid using vulnerable versions of Astro for on-demand rendered sites with the /_image endpoint until patched.