Описание
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9.
Уязвимые конфигурации
Конфигурация 1Версия до 5.15.9 (исключая)
cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 13%
0.00044
Низкий
5.4 Medium
CVSS3
6.1 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 5.4
github
3 месяца назад
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
EPSS
Процентиль: 13%
0.00044
Низкий
5.4 Medium
CVSS3
6.1 Medium
CVSS3
Дефекты
CWE-79