Plattform
nodejs
Komponente
@astrojs/cloudflare
Behoben in
11.0.4
12.6.6
CVE-2025-58179 is a Server-Side Request Forgery (SSRF) vulnerability affecting Astro websites using the @astrojs/cloudflare adapter with specific configurations. This vulnerability allows attackers to potentially retrieve content from unauthorized third-party domains through the image optimization endpoint. The issue impacts versions 12.6.5 and earlier of @astrojs/cloudflare. A fix is available in version 12.6.6.
An attacker can exploit this SSRF vulnerability by crafting malicious image requests that target internal services or external resources. This could lead to information disclosure of sensitive data residing within the server's network, or potentially even allow the attacker to trigger actions on internal systems. The ability to serve content from arbitrary domains bypasses intended security controls and could be leveraged for phishing attacks or to inject malicious code into the website. The blast radius extends to any internal resources accessible from the server, and the impact can be significant depending on the sensitivity of those resources.
This vulnerability was publicly disclosed on 2025-09-04. There are currently no known public proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing. The SSRF nature of the vulnerability suggests a moderate probability of exploitation, particularly if internal services are exposed or misconfigured.
Astro websites utilizing the Cloudflare adapter with output: 'server' and imageService: 'compile' are at risk. This includes developers who have integrated external image sources into their Astro projects without proper validation and those using shared hosting environments where the server configuration might be less controllable.
• nodejs / server:
npm list @astrojs/cloudflare• nodejs / server:
grep -r 'imageService: \'compile\'' ./astro.config.mjs ./astro.config.ts• generic web:
Check Astro site's /_image endpoint for unauthorized domain access by attempting to load an image from an external, non-approved domain.
disclosure
Exploit-Status
EPSS
0.43% (62% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to @astrojs/cloudflare version 12.6.6 or later. If upgrading is not immediately feasible, consider implementing a strict allowlist of authorized image domains within your Astro configuration. Additionally, implement a Web Application Firewall (WAF) with rules to block requests to the /_image endpoint with suspicious or unauthorized URLs. Carefully review and restrict network access for the server running the Astro application to minimize the potential impact of a successful SSRF attack.
Aktualisieren Sie das Paket `@astrojs/cloudflare` auf Version 12.6.6 oder höher. Dies behebt die SSRF-Schwachstelle im /_image Endpoint. Führen Sie `npm update @astrojs/cloudflare` oder `yarn upgrade @astrojs/cloudflare` aus, um zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-58179 is a Server-Side Request Forgery vulnerability in @astrojs/cloudflare affecting Astro sites using specific configurations, allowing attackers to retrieve content from unauthorized domains.
You are affected if you use @astrojs/cloudflare version 12.6.5 or earlier and have output: 'server' and imageService: 'compile' configured in your Astro project.
Upgrade to @astrojs/cloudflare version 12.6.6 or later. Consider implementing WAF rules to filter requests to the /_image endpoint as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the official Astro blog and GitHub repository for updates and advisories related to CVE-2025-58179.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.