CVE-2025-55303

Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820	Patch
https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749	Exploit Vendor Advisory
https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:astro:astro::::::node.js::*
	cpe:2.3:a:astro:astro::::::node.js::*

History

25 Nov 2025, 14:31

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
First Time		Astro astro Astro
CPE		cpe:2.3:a:astro:astro::::::node.js::*
References	~~() https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820 -~~	() https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820 - Patch
References	~~() https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749 -~~	() https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749 - Exploit, Vendor Advisory

Information

Published : 2025-08-19 19:15

Updated : 2025-11-25 14:31

NVD link : CVE-2025-55303

Mitre link : CVE-2025-55303

CVE.ORG link : CVE-2025-55303

JSON object : View

Products Affected

astro

astro

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-115

Misinterpretation of Input

{"id": "CVE-2025-55303", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-19T19:15:36.880", "references": [{"url": "https://github.com/withastro/astro/commit/4d16de7f95db5d1ec1ce88610d2a95e606e83820", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/withastro/astro/security/advisories/GHSA-xf8x-j4p2-f749", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-115"}]}], "descriptions": [{"lang": "en", "value": "Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18."}, {"lang": "es", "value": "Astro es un framework web para sitios web basados en contenido. En versiones de Astro anteriores a la 5.13.2 y la 4.16.18, el endpoint de optimizaci\u00f3n de im\u00e1genes en proyectos implementados con renderizado bajo demanda permite la entrega de im\u00e1genes de dominios de terceros no autorizados. Los sitios web renderizados bajo demanda creados con Astro incluyen un endpoint /_image que devuelve versiones optimizadas de las im\u00e1genes. Un error en las versiones afectadas de Astro permite a un atacante eludir las restricciones de dominio de terceros utilizando una URL relativa al protocolo como fuente de la imagen, por ejemplo, /_image?href=//example.com/image.png. Esta vulnerabilidad se corrigi\u00f3 en las versiones 5.13.2 y 4.16.18."}], "lastModified": "2025-11-25T14:31:24.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "37E61F09-80C8-43B3-BADC-7DF0E914FEE9", "versionEndExcluding": "4.16.18"}, {"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B3311B0A-5F6A-41C3-A69D-EB58081ED818", "versionEndExcluding": "5.13.2", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}