Overview
A critical Cross-Site Scripting (XSS) vulnerability has been identified in Astro’s Cloudflare adapter (@astrojs/cloudflare) affecting versions prior to 5.15.9. Designated as CVE-2025-65019, this flaw resides within the image optimization endpoint and allows attackers to inject malicious SVG payloads when the output: 'server' configuration is used. This bypasses domain restrictions and Content Security Policy (CSP) protections, posing a significant security risk.
Technical Details
The vulnerability stems from the isRemoteAllowed() function within Astro’s image optimization endpoint (/_image). Prior to version 5.15.9, this function unconditionally allowed data: protocol URLs. Attackers can exploit this by crafting malicious SVG files containing JavaScript code embedded within a data: URL. When a user’s browser attempts to render such an image through the Astro application, the embedded JavaScript will execute within the user’s session, potentially leading to data theft, session hijacking, or defacement of the website.
Example of a malicious SVG payload (Illustrative):
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
<script>
alert('XSS Vulnerability!'); //Demonstrates the XSS attack. In a real attack, this would be more sophisticated.
</script>
</svg>
CVSS Analysis
- CVE ID: CVE-2025-65019
- Severity: MEDIUM
- CVSS Score: 5.4
A CVSS score of 5.4 indicates a Medium severity vulnerability. While not as severe as a critical vulnerability, it still poses a significant risk due to the potential for XSS attacks, which can have a wide range of impacts.
Possible Impact
Successful exploitation of this vulnerability can lead to:
- Cross-Site Scripting (XSS): Attackers can inject malicious scripts into the website, executing in the context of the user’s browser.
- Session Hijacking: Attackers can steal users’ session cookies, gaining unauthorized access to their accounts.
- Data Theft: Sensitive user data can be stolen and exfiltrated.
- Website Defacement: The attacker can modify the appearance or content of the website.
- Phishing Attacks: Attackers can redirect users to malicious websites to steal credentials.
Mitigation or Patch Steps
The vulnerability has been patched in Astro version 5.15.9. The following steps are recommended:
- Upgrade Astro: Upgrade your Astro project to version 5.15.9 or later. This can typically be done using your package manager (e.g., npm, yarn, pnpm).
- Verify Configuration: Ensure that your
@astrojs/cloudflareadapter is correctly configured. - Content Security Policy (CSP): Although the vulnerability bypasses CSP in affected versions, enabling and properly configuring CSP after upgrading remains crucial as a defense-in-depth measure against other potential XSS vectors.
