CVE-2025-65019 Overview
CVE-2025-65019 is a Cross-Site Scripting (XSS) vulnerability in the Astro web framework's Cloudflare adapter (@astrojs/cloudflare). Versions prior to 5.15.9 running with output: 'server' expose an image optimization endpoint at /_image that unconditionally accepts data: protocol URLs. The isRemoteAllowed() helper skips domain allowlist checks for data URLs, letting attackers deliver malicious SVG payloads through the endpoint. Successful exploitation bypasses configured domain restrictions and Content Security Policy (CSP) controls. The issue is tracked under [CWE-79] and was fixed in Astro 5.15.9.
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser by luring them to an /_image URL carrying a crafted data:image/svg+xml payload, bypassing Astro's remote domain allowlist and CSP.
Affected Products
- Astro framework versions prior to 5.15.9
- Deployments using @astrojs/cloudflare adapter
- Applications configured with output: 'server' exposing the /_image endpoint
Discovery Timeline
- 2025-11-19 - CVE-2025-65019 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-65019
Vulnerability Analysis
Astro exposes an image optimization endpoint at /_image when applications run in server mode. The endpoint accepts a src parameter, validates it through isRemoteAllowed() in packages/internal-helpers/src/remote.ts, and then fetches or serves the referenced content. The validator returns true for any URL whose protocol equals data:, short-circuiting the domain allowlist entirely. An attacker can therefore submit a data:image/svg+xml payload containing inline <script> elements. When the browser renders the response served from the application's origin, the embedded script executes in the site's security context.
Because the payload is served by the trusted Astro origin, browser Same-Origin Policy treats it as first-party content. This enables session cookie theft, account takeover, and pivoting into authenticated application flows. The bypass also defeats CSP allowlist directives that would normally restrict script sources.
Root Cause
The root cause is a permissive protocol check. The isRemoteAllowed() function in remote.ts returned early with true whenever url.protocol === 'data:', treating data URLs as inherently safe rather than untrusted user-controlled content. SVG data URLs can carry executable script, so this assumption is invalid.
Attack Vector
Exploitation requires user interaction: the victim must load a crafted URL that points to the vulnerable /_image endpoint with a malicious src value. No authentication is required and the attack is delivered over the network.
// Patch: packages/internal-helpers/src/remote.ts
const url = new URL(src);
- // Data URLs are always allowed
- if (url.protocol === 'data:') {
- return true;
- }
-
// Non-http(s) protocols are never allowed
- if (!['http:', 'https:'].includes(url.protocol)) {
+ if (!['http:', 'https:', 'data:'].includes(url.protocol)) {
return false;
}
Source: Astro commit 9e9c528. The patch removes the unconditional allowance and instead requires data: to be explicitly authorized alongside http: and https: through the standard allowlist path.
Detection Methods for CVE-2025-65019
Indicators of Compromise
- Requests to /_image where the src query parameter begins with data:image/svg+xml or any data: scheme.
- HTTP responses from /_image returning Content-Type: image/svg+xml containing <script>, onload=, or javascript: substrings.
- Referrer chains showing users arriving at /_image from untrusted external domains.
Detection Strategies
- Inspect web server and CDN access logs for /_image?src=data: patterns and alert on any match.
- Deploy a Web Application Firewall (WAF) rule that blocks data: values in the src parameter of image optimization endpoints.
- Enable CSP report-uri or report-to directives to capture inline script violations originating from the application origin.
Monitoring Recommendations
- Track the deployed version of astro and @astrojs/cloudflare in build pipelines and flag any release below 5.15.9.
- Baseline typical /_image traffic volume and payload sizes to detect anomalies consistent with SVG exfiltration payloads.
- Review outbound requests from browsers loading /_image responses for beacons to attacker-controlled hosts.
How to Mitigate CVE-2025-65019
Immediate Actions Required
- Upgrade Astro to version 5.15.9 or later across all environments using the Cloudflare adapter with output: 'server'.
- Audit the image.domains and image.remotePatterns configuration and remove any entries that authorize data: URLs.
- Rotate session tokens and API keys for any application where log analysis indicates possible exploitation.
Patch Information
The fix landed in Astro 5.15.9 through commit 9e9c528. See the Astro commit and GitHub Security Advisory GHSA-fvmw-cj7j-j39q for full details. After patching, data: URLs must be explicitly authorized in the remote allowlist, aligning them with http: and https: handling.
Workarounds
- If patching is not immediately possible, place a reverse proxy or WAF rule in front of the application that rejects requests to /_image when the src parameter starts with data:.
- Serve a strict CSP that disallows inline scripts and restricts img-src to trusted origins, reducing but not eliminating impact.
- Temporarily disable the built-in image optimization service and route images through a hardened external provider.
# Upgrade Astro to the patched release
npm install astro@5.15.9
# Verify the installed version
npm ls astro
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

