CVE-2026-41321

Name of the Vulnerable Software and Affected Versions @astrojs/cloudflare versions prior to 13.1.10

Description The fetch() call for remote images in 'packages/integrations/cloudflare/src/utils/image-binding-transform.ts' uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL. This issue enables blind Server-Side Request Forgery (SSRF), where an attacker can use an open redirect on an allowed domain to reach unauthorized internal destinations, bypassing the image.domains and image.remotePatterns allowlists.

Recommendations Update to version 13.1.10.