Description
Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request forgery (SSRF) and potentially cross-site scripting (XSS). This vulnerability exists due to an incomplete fix for CVE-2025-58179. Fixed in 5.13.10.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
Patch x_refsource_misc
https://github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
Scores
CVSS v3
7.2
EPSS
0.0004
EPSS Percentile
13.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
CWE-79
Status
published
Products (2)
astro/astro
5.13.4 - 5.13.10
npm/astro
5.13.4 - 5.13.10npm
Published
Oct 28, 2025
Tracked Since
Feb 18, 2026