Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN528
_____________________________________________________________________

DATE                : 20/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running @astrojs/node (npm) versions prior
                                  to 9.1.1,
                     astro (npm) versions prior to 5.13.2, 4.16.19.

=====================================================================
https://github.com/advisories/GHSA-xf8x-j4p2-f749
_____________________________________________________________________


Unauthorized third-party images in Astro’s _image endpoint
High
ematipico published GHSA-xf8x-j4p2-f749 Aug 19, 2025

Package
@astrojs/node (npm)

Affected versions
<= 9.1.0

Patched versions
>= 9.1.1


astro (npm)

Affected versions
<= 5.13.0
<= 4.16.18

Patched versions
>= 5.13.2
>=4.16.19


Description

Summary

In affected versions of astro, the image optimization endpoint in
projects deployed with on-demand rendering allows images from
unauthorized third-party domains to be served.


Details

On-demand rendered sites built with Astro include an /_image
endpoint which returns optimized versions of images.

The /_image endpoint is restricted to processing local images
bundled with the site and also supports remote images from
domains the site developer has manually authorized (using the
image.domains or image.remotePatterns options).

However, a bug in impacted versions of astro allows an attacker
to bypass the third-party domain restrictions by using a
protocol-relative URL as the image source, e.g.
/_image?href=//example.com/image.png.
Proof of Concept

    Create a new minimal Astro project (astro@5.13.0).

    Configure it to use the Node adapter
(@astrojs/node@9.1.0 — newer versions are not impacted):

    // astro.config.mjs
    import { defineConfig } from 'astro/config';
    import node from '@astrojs/node';

    export default defineConfig({
    	adapter: node({ mode: 'standalone' }),
    });

    Build the site by running astro build.

    Run the server, e.g. with astro preview.

    Append /_image?href=//placehold.co/600x400 to the preview
URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400

    The site will serve the image from the unauthorized
placehold.co origin.


Impact

Allows a non-authorized third-party to create URLs on an impacted
site’s origin that serve unauthorized image content.

In the case of SVG images, this could include the risk of
cross-site scripting (XSS) if a user followed a link to a
maliciously crafted SVG.


Severity
High

CVE ID
CVE-2025-55303

Weaknesses
Weakness CWE-79


Credits

    @HakuPiku HakuPiku Finder
    @GeneralZero GeneralZero Reporter
    @chriselbring-avalabs chriselbring-avalabs Reporter
    @ematipico ematipico Remediation developer
    @delucis delucis Remediation verifier
    @Princesseuh Princesseuh Remediation reviewer



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================