Server-Side Request Forgery Vulnerability in Astro Web Framework by Astro
CVE-2025-58179

7.2HIGH

Key Information:

Vendor: Withastro
Status: Astro
Vendor: CVE Published:; 4 September 2025

What is CVE-2025-58179?

A vulnerability exists in the Astro web framework, specifically in versions 11.0.3 through 12.6.5, that allows Server-Side Request Forgery when using the Cloudflare adapter. This issue arises when configured with output: 'server' and default imageService: 'compile'. Under these conditions, the optimization endpoint fails to validate incoming URLs, potentially permitting unauthorized content from third-party domains to be served. This security flaw has been addressed in version 12.6.6.

Affected Version(s)

astro >= 11.0.3, < 12.6.6

References

https://github.com/withastro/astro/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/withastro/astro/commit/9ecf3598e2b29dd...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 4, 2025
Vulnerability Reserved
Aug 27, 2025

CVE-2025-58179 Data

JSON

Withastro

What is CVE-2025-58179?

Affected Version(s)

References

CVSS V3.1

Timeline