CVE-2025-59837: Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
(updated )
This is a patch bypass of CVE-2025-58179 in commit 9ecf359. The fix blocks http://, https:// and //, but can be bypassed using backslashes (\) - the endpoint still issues a server-side fetch.
References
- github.com/advisories/GHSA-qcpr-679q-rhm2
- github.com/withastro/astro
- github.com/withastro/astro/commit/1e2499e8ea83ebfa233a18a7499e1ccf169e56f4
- github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047ea90e67252
- github.com/withastro/astro/security/advisories/GHSA-qcpr-679q-rhm2
- nvd.nist.gov/vuln/detail/CVE-2025-59837
Code Behaviors & Features
Detect and mitigate CVE-2025-59837 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →