Platform
nodejs
Component
@astrojs/cloudflare
Fixed in
11.0.4
12.6.6
CVE-2025-58179 is a Server-Side Request Forgery (SSRF) vulnerability affecting Astro websites using the @astrojs/cloudflare adapter with specific configurations. This vulnerability allows attackers to potentially retrieve content from unauthorized third-party domains through the image optimization endpoint. The issue impacts versions 12.6.5 and earlier of @astrojs/cloudflare. A fix is available in version 12.6.6.
The SSRF vulnerability arises because the image optimization endpoint (/_image) in Astro sites, when configured with output: 'server' and imageService: 'compile', does not properly validate the URLs it receives. This lack of validation allows an attacker to craft malicious requests that instruct the server to fetch content from arbitrary external sources. An attacker could leverage this to access internal resources that are not directly exposed to the public internet, potentially revealing sensitive data or gaining unauthorized access to backend systems. The blast radius extends to any data accessible through HTTP/HTTPS requests from the server, depending on the permissions and network configuration of the Astro deployment.
This vulnerability is not currently listed on KEV. The EPSS score is likely to be medium, given the relatively straightforward nature of SSRF exploitation and the potential for impact. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it likely that one will emerge. The CVE was published on 2025-09-04.
Exploit Status
EPSS
0.43% (62% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-58179 is to upgrade to @astrojs/cloudflare version 12.6.6 or later, which includes the necessary URL validation checks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter incoming requests to the /image endpoint, blocking requests with suspicious or unauthorized domain names. Additionally, review and restrict network access for the Astro server to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to access the /image endpoint with a URL pointing to an external, unauthorized domain; the request should be rejected.
Update the `@astrojs/cloudflare` package to version 12.6.6 or higher. This fixes the SSRF vulnerability in the /_image endpoint. Run `npm update @astrojs/cloudflare` or `yarn upgrade @astrojs/cloudflare` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-58179 is a Server-Side Request Forgery vulnerability in @astrojs/cloudflare affecting Astro sites using specific configurations, allowing attackers to retrieve content from unauthorized domains.
You are affected if you use @astrojs/cloudflare version 12.6.5 or earlier and have output: 'server' and imageService: 'compile' configured in your Astro project.
Upgrade to @astrojs/cloudflare version 12.6.6 or later. Consider implementing WAF rules to filter requests to the /_image endpoint as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the official Astro blog and GitHub repository for updates and advisories related to CVE-2025-58179.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.