CVE-2025-55303
published 2025-08-19CVE-2025-55303: Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with…
PriorityP182medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.60%
44.2th percentile
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astro | astro | < 4.16.18 | 4.16.18 |
| astro | astro | >= 0 < 4.16.19 | 4.16.19 |
| astro | astro | >= 5.0.0 < 5.13.2 | 5.13.2 |
| astro | astro | >= 5.0.0-alpha.0 < 5.13.2 | 5.13.2 |
| astrojs | node | >= 0 < 9.1.1 | 9.1.1 |
| withastro | astro | < 4.16.18 | 4.16.18 |
| withastro | astro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring GET requests to the /_image endpoint where the 'href' query parameter begins with '//' (protocol-relative URL), indicating an attempt to bypass third-party domain restrictions. ↗
- →Alert on HTTP 200 responses from /_image?href=//... requests that return a Content-Type containing 'image/', confirming successful bypass and image proxying from an unauthorized third-party domain. ↗
- →Use the Shodan query 'http.html:"astro"' to identify potentially vulnerable Astro-powered sites exposed to the internet for targeted scanning. ↗
- ·Exploitation requires the Astro site to be deployed with on-demand (server-side) rendering enabled. Statically generated sites are NOT affected. ↗
- ·Vulnerable versions are Astro < 5.13.2 (v5 branch) and Astro < 4.16.18 (v4 branch). Both branches must be tracked independently for patching. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Astro allows unauthorized third-party images in _image endpoint
ghsa·2025-08-19
CVE-2025-55303 [MEDIUM] CWE-79 Astro allows unauthorized third-party images in _image endpoint
Astro allows unauthorized third-party images in _image endpoint
### Summary
In affected versions of `astro`, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.
### Details
On-demand rendered sites built with Astro include an `/_image` endpoint which returns optimized versions of images.
The `/_image` endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the [`image.domains`](https://docs.astro.build/en/reference/configuration-reference/#imagedomains) or [`image.remotePatterns`](https://docs.astro.build/en/reference/configuration-reference/#imageremotepatterns) options).
However, a
OSV
Astro allows unauthorized third-party images in _image endpoint
osv·2025-08-19
CVE-2025-55303 [MEDIUM] Astro allows unauthorized third-party images in _image endpoint
Astro allows unauthorized third-party images in _image endpoint
### Summary
In affected versions of `astro`, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.
### Details
On-demand rendered sites built with Astro include an `/_image` endpoint which returns optimized versions of images.
The `/_image` endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the [`image.domains`](https://docs.astro.build/en/reference/configuration-reference/#imagedomains) or [`image.remotePatterns`](https://docs.astro.build/en/reference/configuration-reference/#imageremotepatterns) options).
However, a
VulnCheck
astro astro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2025·CVSS 6.9
CVE-2025-55303 [MEDIUM] astro astro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
astro astro Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
Affected: astro astro
Required Action: Apply remediations or mitigations per vendor instruc
No detection rules found.
Nuclei
Astro - Unauthorized Third-Party Image Access
nuclei·CVSS 6.9
CVE-2025-55303 [MEDIUM] Astro - Unauthorized Third-Party Image Access
Astro - Unauthorized Third-Party Image Access
Astro < 5.13.2 and < 4.16.18 contains an information disclosure vulnerability caused by improper validation of protocol-relative URLs in the image optimization endpoint, letting attackers serve images from unauthorized third-party domains, exploit requires on-demand rendering deployment.
Template:
id: CVE-2025-55303
info:
name: Astro - Unauthorized Third-Party Image Access
author: theamanrawat
severity: medium
description: |
Astro < 5.13.2 and < 4.16.18 contains an information disclosure vulnerability caused by improper validation of protocol-relative URLs in the image optimization endpoint, letting attackers serve images from unauthorized third-party domains, exploit requires on-demand rendering deployment.
impact: |
Attackers can serve im
No writeups or analysis indexed.
2025-08-19
Published
Exploited in the wild