CVE-2025-58179
Published: 05 September 2025
Summary
CVE-2025-58179 is a high-severity SSRF (CWE-918) vulnerability in Astro \@Astrojs\/Cloudflare. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 40.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Astro, a web framework for content-driven sites, contains an SSRF vulnerability in versions 11.0.3 through 12.6.5 when the Cloudflare adapter is used with output set to 'server' and the default imageService set to 'compile'. The generated image optimization endpoint fails to validate supplied URLs, and a flaw in the @astrojs/cloudflare adapter permits bypass of intended third-party domain restrictions, allowing the origin to serve arbitrary external content.
An unauthenticated remote attacker can supply crafted image URLs to the optimization endpoint and cause the vulnerable Astro deployment on Cloudflare to fetch and return content from any domain, achieving limited unauthorized data retrieval and potential abuse of the origin's network position.
The issue is resolved in Astro 12.6.6; the referenced GitHub advisory and commit detail the patch that restores proper URL validation within the Cloudflare adapter.
EPSS for the CVE rose materially from a low baseline to a peak of 0.0175 on 2025-12-11 before receding, indicating post-disclosure exploitation interest that warrants renewed attention despite the current low score.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26878
Vulnerability details
Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the…
more
URLs it receives, allowing content from unauthorized third-party domains to be served. a A bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin. This issue is fixed in version 12.6.6.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.