CVE-2025-65019

Name of the Vulnerable Software and Affected Versions Astro versions prior to 5.15.9

Description Astro, a web framework, has an issue when using the Cloudflare adapter (@astrojs/cloudflare) with output set to 'server'. The image optimization endpoint ('/ image') includes a flaw in the isRemoteAllowed() function. This function incorrectly allows data: protocol URLs, which can be exploited to launch Cross-Site Scripting (XSS) attacks using malicious SVG payloads. This bypasses domain restrictions and Content Security Policy protections.

Recommendations Update to version 5.15.9 or later.