CVE-2026-41321: Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4)
The fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts (line 28) uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL.
All three other image fetch paths in the codebase correctly use { redirect: 'manual' }. This is an incomplete fix for GHSA-qpr4-c339-7vq8.
Confirmed on HEAD.
References
- github.com/advisories/GHSA-88gm-j2wx-58h6
- github.com/advisories/GHSA-qpr4-c339-7vq8
- github.com/withastro/astro
- github.com/withastro/astro/commit/a43eb4b40b4f81530e3c9b5e2959495900320433
- github.com/withastro/astro/releases/tag/%40astrojs%2Fcloudflare%4013.1.10
- github.com/withastro/astro/security/advisories/GHSA-88gm-j2wx-58h6
- nvd.nist.gov/vuln/detail/CVE-2026-41321
Code Behaviors & Features
Detect and mitigate CVE-2026-41321 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →