Описание
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
Summary
This is a patch bypass of CVE-2025-58179 in commit 9ecf359. The fix blocks http://, https:// and //, but can be bypassed using backslashes (\) - the endpoint still issues a server-side fetch.
PoC
Пакеты
Наименование
astro
npm
Затронутые версииВерсия исправления
>= 5.13.4, < 5.13.10
5.13.10
Связанные уязвимости
CVSS3: 7.2
nvd
3 месяца назад
Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10.