Cyber Resilience

CVE-2025-58179

HighPublic PoC

Published: 05 September 2025

Published
05 September 2025
Modified
22 December 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0038 59.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58179 is a high-severity SSRF (CWE-918) vulnerability in Astro \@Astrojs\/Cloudflare. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 40.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Astro, a web framework for content-driven sites, contains an SSRF vulnerability in versions 11.0.3 through 12.6.5 when the Cloudflare adapter is used with output set to 'server' and the default imageService set to 'compile'. The generated image optimization endpoint fails to validate supplied URLs, and a flaw in the @astrojs/cloudflare adapter permits bypass of intended third-party domain restrictions, allowing the origin to serve arbitrary external content.

An unauthenticated remote attacker can supply crafted image URLs to the optimization endpoint and cause the vulnerable Astro deployment on Cloudflare to fetch and return content from any domain, achieving limited unauthorized data retrieval and potential abuse of the origin's network position.

The issue is resolved in Astro 12.6.6; the referenced GitHub advisory and commit detail the patch that restores proper URL validation within the Cloudflare adapter.

EPSS for the CVE rose materially from a low baseline to a peak of 0.0175 on 2025-12-11 before receding, indicating post-disclosure exploitation interest that warrants renewed attention despite the current low score.

EU & UK References

Vulnerability details

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the…

more

URLs it receives, allowing content from unauthorized third-party domains to be served. a A bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin. This issue is fixed in version 12.6.6.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

astro
\@astrojs\/cloudflare
11.0.3 — 12.6.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References