CVE-2025-58179
BaseFortify
Publication date: 2025-09-05
Last updated on: 2025-09-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| astro | cloudflare_adapter | * |
| astro | astro | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58179 is a Server-Side Request Forgery (SSRF) vulnerability in the Astro web framework's Cloudflare adapter versions 11.0.3 through 12.6.5. When Astro is configured with output: 'server' and the default imageService: 'compile', the image optimization endpoint (/ _image) does not properly validate or restrict URLs it receives. This allows attackers to bypass domain restrictions and serve content from unauthorized third-party domains through the vulnerable siteβs origin. Essentially, the image proxy endpoint fails to enforce user-configured allowed remote domains, enabling unauthorized remote image downloads and potentially exposing the site to SSRF and cross-site scripting (XSS) attacks. The issue is fixed in version 12.6.6. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to make the vulnerable server fetch and serve content from unauthorized third-party domains, effectively bypassing domain restrictions. This can lead to unauthorized content delivery through your site, potentially exposing your users to malicious content. Additionally, it can enable SSRF attacks, which might be leveraged to access internal resources or perform further attacks. There is also a risk of cross-site scripting (XSS) if users access maliciously crafted URLs exploiting this vulnerability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by testing the /_image endpoint of your Astro application configured with the Cloudflare adapter and output: 'server'. Specifically, try accessing the endpoint with a URL parameter pointing to an unauthorized third-party domain, for example: /_image?href=https://placehold.co/600x400. If the image from the unauthorized domain is served, your system is vulnerable. A simple command using curl to test this would be: curl -i 'https://your-astro-site/_image?href=https://placehold.co/600x400'. A vulnerable system will return the remote image content instead of blocking or redirecting the request. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the @astrojs/cloudflare adapter to version 12.6.6 or later, where the issue is fixed. Additionally, configure your astro.config.mjs file to explicitly specify trusted remote image domains using the image.domains array. The patched version enforces domain restrictions by blocking unauthorized remote image requests with HTTP 403 responses and only allowing trusted domains via HTTP 302 redirects. Avoid using the default imageService: 'compile' without proper domain restrictions until patched. [1, 2]