CVE-2025-58179: Astro Cloudflare Adapter Vulnerability Enables SSRF

The Astro project has disclosed a high-severity vulnerability in its Cloudflare adapter, tracked as CVE-2025-58179 (CVSS 7.2). The flaw impacts sites built with Astro when deployed on Cloudflare Pages or Workers using the default image service. Exploitation could lead to Server-Side Request Forgery (SSRF) and potentially Cross-Site Scripting (XSS).

Astro includes an /_image endpoint that generates optimized versions of images for on-demand rendering. Normally, this endpoint restricts processing to:

• Local images bundled with the site.
• Remote images explicitly allowed by developers through image.domains or image.remotePatterns.

However, as the advisory explains, “a bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin.”

In effect, attackers can trick the vulnerable service into fetching and serving unauthorized content.

Researchers demonstrated the flaw by creating a minimal Astro project (astro@5.13.3) configured with the vulnerable Cloudflare adapter (@astrojs/cloudflare@12.6.5). Once deployed, appending a crafted request served content from an unauthorized domain:

https://<victim-site>/_image?href=https://placehold.co/600x400

As the advisory confirms, “this will serve the placeholder image from the unauthorised placehold.co domain.”

The vulnerability carries serious implications:

• SSRF: Attackers could abuse the flaw to force the server to make requests to internal services.
• XSS: If a victim clicks on a maliciously crafted URL, unauthorized content could be delivered through the site’s origin, bypassing trust boundaries.
• Content injection: Attackers could create URLs on the affected site that appear legitimate but deliver malicious data.

According to the advisory, “this includes the risk of server-side request forgery (SSRF) and by extension cross-site scripting (XSS) if a user follows a link to a maliciously crafted URL.”

Developers are strongly urged to upgrade to @astrojs/cloudflare v12.6.6 or later.

Related Posts:

• CVE-2023-20126: A Critical Cisco Vulnerability Threatening SPA112 Phone Adapters
• SSRF Flaw (CVE-2025-6087) in OpenNext for Cloudflare Allows Unauthenticated Content Proxying
• Cloudflare Pulls the Plug on HTTP: API Now HTTPS-Only
• Researchers Uncovers Sophisticated Phishing Campaigns Leveraging Cloudflare Workers

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy