GHSA-fvmw-cj7j-j39q

Source

https://github.com/advisories/GHSA-fvmw-cj7j-j39q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-fvmw-cj7j-j39q/GHSA-fvmw-cj7j-j39q.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-fvmw-cj7j-j39q

Aliases

CVE-2025-65019

Published

2025-11-19T20:09:12Z

Modified

2025-11-20T18:44:37.960215Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Astro Cloudflare adapter has Stored Cross Site Scripting vulnerability in /_image endpoint

Details

Summary

When using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections.

Details

On-demand rendered sites built with Astro include an /_image endpoint for image optimization. While this endpoint is designed to restrict processing to local images and authorized remote domains (configured via image.domains or image.remotePatterns), a critical vulnerability exists in the underlying validation logic.

The isRemoteAllowed() function in packages/internal-helpers/src/remote.ts (lines 128-131) unconditionally allows ALL data: protocol URLs without any validation or sanitization. When combined with SVG images containing JavaScript, this creates a vector for XSS attacks.

Vulnerable Code:

/packages/ packages/internal-helpers/src/remote.ts lines 128-131
if (url.protocol === 'data:') {
    return true;  // ← Unconditionally allows ALL data: URLs!
}

The vulnerability manifests differently depending on the image endpoint implementation: - Safe implementation: Server processes SVG and converts to raster format (PNG/JPEG), removing JavaScript - Vulnerable implementation: Server redirects browser to raw SVG data URL, allowing JavaScript execution

PoC

Create a new minimal Astro project (astro@latest)
Configure it to use the Cloudflare adapter (@astrojs/cloudflare@12.6.10)
Deploy to Cloudflare Pages or Workers.
Write page to load SVG Image like : SVG XSS Payload
Open directly the SVG file to show an alert (in read scenarios, the apps that use the framework will use CDN for example, to load SVG, depending that the framework is secure)

Impact

XSS: Malicious URLs can be crafted to execute JavaScript in victim's browser
Session Hijacking: JavaScript can access cookies and session tokens
Account Takeover: Combined with CSRF, can perform unauthorized actions
Data Exfiltration: Sensitive information can be stolen and sent to attacker-controlled servers

References

Vulnerable Function: packages/internal-helpers/src/remote.ts lines 128-131
Similar Vulnerability:: https://dailycve.com/wordpress-stored-xss-via-svg-upload-cve-2025-2575-medium/

Database specific

{
    "nvd_published_at": "2025-11-19T17:15:53Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2025-11-19T20:09:12Z"
}

References

Affected packages

npm / astro

Package

Name: astro; View open source insights on deps.dev
Purl: pkg:npm/astro

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.9