PT-2025-33828 · Astro · Astro

Chriselbring-Avalabs

Published

2025-08-19

Updated

2026-01-22

CVE-2025-55303

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions: Astro versions prior to 5.13.2 Astro versions prior to 4.16.18

Description: Astro is a web framework for content-driven websites. The image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. The / image endpoint, which returns optimized versions of images, is affected. An attacker can bypass third-party domain restrictions by using a protocol-relative URL as the image source, such as / image?href=//example.com/image.png.

Recommendations: Update to Astro version 5.13.2 or later. Update to Astro version 4.16.18 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-115

Related Identifiers

CVE-2025-55303

GHSA-XF8X-J4P2-F749

Affected Products

Astro

PT-2025-33828 · Astro · Astro

CVE-2025-55303

Weakness Enumeration

Related Identifiers

Affected Products

References · 11