cbcvebase.
CVE-2025-58179
published 2025-09-05

CVE-2025-58179: Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When…

PriorityP279medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.77%
51.1th percentile
Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served. a A bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin. This issue is fixed in version 12.6.6.

Affected

5 ranges
VendorProductVersion rangeFixed in
astroastro>= 5.13.4 < 5.13.105.13.10
astroastro>= 5.13.4 < 5.13.105.13.10
astroastrojs_cloudflare>= 11.0.3 < 12.6.612.6.6
astrojscloudflare>= 11.0.3 < 12.6.612.6.6
withastroastrojs_cloudflare< 13.1.1013.1.10

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/_image?href=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg&f=svg
path/_image
  • Probe the /_image endpoint with an external href parameter pointing to an SVG containing JavaScript. A vulnerable instance will fetch and return the SVG with Content-Type: image/svg+xml and body containing '<script type="text/javascript' and 'alert(document.domain);'.
  • Match HTTP 200 response with Content-Type 'image/svg+xml' AND body containing both '<script type="text/javascript' and 'alert(document.domain);' to confirm successful SSRF/XSS via the image optimization endpoint.
  • Vulnerability is triggered when the Astro Cloudflare adapter is configured with output: 'server' and the default imageService: 'compile'. The /_image endpoint accepts arbitrary external URLs via the 'href' query parameter without domain validation.
  • CVE-2025-59837 is a related bypass of the same image proxy domain validation using backslashes in the href parameter; detections for CVE-2025-58179 should also consider backslash-based bypass variants (e.g., /_image?href=https:\\evil.com/...).
  • ·Vulnerability only affects @astrojs/cloudflare adapter versions 11.0.3 through 12.6.5; the fix is present in version 12.6.6 and later.
  • ·Exploitation requires the Astro application to be deployed with both output: 'server' and the default imageService: 'compile' configuration; other configurations are not affected.
  • ·CVE-2025-58179's fix was incomplete; CVE-2025-59837 (fixed in Astro 5.13.10) describes a bypass of the same domain validation using backslashes in the href parameter.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.