Name of the Vulnerable Software and Affected Versions:

Astro versions prior to 5.13.2

Astro versions prior to 4.16.18

Description:

Astro is a web framework for content-driven websites. The image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. The `/ image` endpoint, which returns optimized versions of images, is affected. An attacker can bypass third-party domain restrictions by using a protocol-relative URL as the image source, such as `/ image?href=//example.com/image.png`.

Recommendations:

Update to Astro version 5.13.2 or later.

Update to Astro version 4.16.18 or later.