cbcvebase.
CVE-2025-55303
published 2025-08-19

CVE-2025-55303: Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with…

PriorityP182medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.60%
44.2th percentile
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.

Affected

7 ranges
VendorProductVersion rangeFixed in
astroastro< 4.16.184.16.18
astroastro>= 0 < 4.16.194.16.19
astroastro>= 5.0.0 < 5.13.25.13.2
astroastro>= 5.0.0-alpha.0 < 5.13.25.13.2
astrojsnode>= 0 < 9.1.19.1.1
withastroastro< 4.16.184.16.18
withastroastro

Detection & IOCsextracted from sources · hover to see the quote

url/_image?href=//{{interactsh-url}}/600x400
path/_image
  • Detect exploitation attempts by monitoring GET requests to the /_image endpoint where the 'href' query parameter begins with '//' (protocol-relative URL), indicating an attempt to bypass third-party domain restrictions.
  • Alert on HTTP 200 responses from /_image?href=//... requests that return a Content-Type containing 'image/', confirming successful bypass and image proxying from an unauthorized third-party domain.
  • Use the Shodan query 'http.html:"astro"' to identify potentially vulnerable Astro-powered sites exposed to the internet for targeted scanning.
  • ·Exploitation requires the Astro site to be deployed with on-demand (server-side) rendering enabled. Statically generated sites are NOT affected.
  • ·Vulnerable versions are Astro < 5.13.2 (v5 branch) and Astro < 4.16.18 (v4 branch). Both branches must be tracked independently for patching.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.