6.1 CVE-2025-55303
Patch Exploit
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
https://nvd.nist.gov/vuln/detail/CVE-2025-55303
Categories
CWE-79
References
134c704f-9b21-4f2e-91b3-4a467353bcc0 Exploit
| https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749 Exploit Vendor Advisory |
security-advisories@github.com Patch Exploit
CPE
| cpe | start | end |
|---|---|---|
| Configuration 1 | ||
| cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:* | < 4.16.18 | |
| cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:* | >= 5.0.0 | < 5.13.2 |
REMEDIATION
Patch
| Url |
|---|
| https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e... |
EXPLOITS
Exploit-db.com
| id | description | date | |
|---|---|---|---|
| No known exploits | |||
POC Github
| Url |
|---|
Other Nist (github, ...)
| Url |
|---|
| https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749 |
| https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749 |
CAPEC
Common Attack Pattern Enumerations and Classifications
| id | description | severity |
|---|---|---|
| No entry | ||
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
