CVE-2025-65019
published 2025-11-19CVE-2025-65019: Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.22%
12.2th percentile
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astro | astro | < 5.15.9 | 5.15.9 |
| astro | astro | >= 0 < 5.15.9 | 5.15.9 |
| withastro | astro | < 5.15.9 | 5.15.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
ghsa·2025-11-19
CVE-2025-65019 [MEDIUM] CWE-79 Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
**Summary**
A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the **@astrojs/cloudflare** adapter with `output: 'server'`. The built-in image optimization endpoint (`/_image`) uses `isRemoteAllowed()` from Astro’s internal helpers, which **unconditionally allows `data:` URLs**. When the endpoint receives a valid `data:` URL pointing to a malicious SVG containing JavaScript, and the Cloudflare-specific implementation performs a **302 redirect back to the original `data:` URL**, the browser directly executes the embedded JavaScript. This completely bypasses any domain allow-listing (`image.domains` / `image.remotePatterns`) and typical Content Security Policy mitigations.
**Affect
OSV
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
osv·2025-11-19
CVE-2025-65019 [MEDIUM] Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
**Summary**
A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the **@astrojs/cloudflare** adapter with `output: 'server'`. The built-in image optimization endpoint (`/_image`) uses `isRemoteAllowed()` from Astro’s internal helpers, which **unconditionally allows `data:` URLs**. When the endpoint receives a valid `data:` URL pointing to a malicious SVG containing JavaScript, and the Cloudflare-specific implementation performs a **302 redirect back to the original `data:` URL**, the browser directly executes the embedded JavaScript. This completely bypasses any domain allow-listing (`image.domains` / `image.remotePatterns`) and typical Content Security Policy mitigations.
**Affect
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-19
Published