CVE-2025-65019
MEDIUMAstro < 5.15.9 - Cross-Site Scripting via Cloudflare Image Optimization Endpoint
Title source: llmDescription
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q
Scores
CVSS v3
5.4
EPSS
0.0003
EPSS Percentile
10.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
astro/astro
< 5.15.9
npm/astro
0 - 5.15.9npm
Published
Nov 19, 2025
Tracked Since
Feb 18, 2026