CVE-2025-58179

Name of the Vulnerable Software and Affected Versions Astro versions 11.0.3 through 12.6.5

Description Astro, a web framework for content-driven websites, is susceptible to a Server-Side Request Forgery (SSRF) issue when utilizing the Cloudflare adapter. When configured with output: 'server' and the default imageService: 'compile', the generated image optimization endpoint fails to validate the received URLs, potentially allowing content from unauthorized third-party domains to be served. This flaw stems from a bug in the @astrojs/cloudflare adapter, enabling attackers to circumvent third-party domain restrictions and serve content from the vulnerable origin.

Recommendations Update to Astro version 12.6.6 or later.