Unauthorized third-party images in Astro’s _image endpoint
Description
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
astronpm | >= 5.0.0-alpha.0, < 5.13.2 | 5.13.2 |
@astrojs/nodenpm | < 9.1.1 | 9.1.1 |
astronpm | < 4.16.19 | 4.16.19 |
Affected products
3- ghsa-coords2 versions
< 9.1.1+ 1 more
- (no CPE)range: < 9.1.1
- (no CPE)range: >= 5.0.0-alpha.0, < 5.13.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-xf8x-j4p2-f749ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-55303ghsaADVISORY
- github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820ghsax_refsource_MISCWEB
- github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.