Astro allows unauthorized third-party images in _image endpoint
In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.
Advisories for Npm/@Astrojs/Node package
2025
@astrojs/node's trailing slash handling causes open redirect issue
Following https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios.