@astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint

2.2 / 10

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L

Description

@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL. This vulnerabiity is caused by an incomplete fix for CVE-2025-58179. This vulnerability is fixed in 13.1.10.

Basic Information

ID CVE-2026-41321

Source GitHub_M

Published Apr 24, 2026 at 17:04

Affected Product

Vendor withastro

Product @astrojs/cloudflare

Version < 13.1.10

Affected Versions withastro @astrojs/cloudflare < 13.1.10

CWE Classification

CWE-918

References

github.com /withastro/astro/security/advisories/GHSA-88gm-j2wx-58h6

{
    "lastseen": "",
    "description": "@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL. This vulnerabiity is caused by an incomplete fix for CVE-2025-58179. This vulnerability is fixed in 13.1.10.",
    "published": "2026-04-24T17:04:06.118Z",
    "modified": "2026-04-24T17:04:06.118Z",
    "type": "cve",
    "title": "@astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint",
    "source": "GitHub_M",
    "references": "https://github.com/withastro/astro/security/advisories/GHSA-88gm-j2wx-58h6",
    "id": "CVE-2026-41321",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "withastro @astrojs/cloudflare < 13.1.10",
    "sourceHref": "",
    "cvss": {
        "score": 2.2,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "@astrojs/cloudflare",
    "version": "< 13.1.10",
    "vendor": "withastro",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

@astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint_CVE-2026-41321