Astro Web Framework Image Optimization Bypass Vulnerability

A vulnerability in the Astro web framework, affecting versions prior to 5.13.2 and 4.16.18, allows unauthorized images from third-party domains to be served through the project's image optimization endpoint. This issue arises in on-demand rendered sites, which include an '/_image' endpoint for optimized image delivery. The vulnerability allows attackers to bypass domain restrictions by using protocol-relative URLs as image sources, exploiting the endpoint to serve images from unapproved origins.

Impact

This vulnerability could lead to unauthorized third-party images being served on the affected site's domain. If SVG images are used, there is a potential risk of cross-site scripting (XSS) attacks, especially if users are directed to a maliciously crafted SVG.

Reproduction

To reproduce this vulnerability, create a new Astro project using a vulnerable version (either prior to 5.13.2 or 4.16.18). Configure the project to use the Node adapter version 9.1.0. After building the site and running the server, append '/_image?href=//example.com/image.png' to the preview URL. The server will respond with the image from the unauthorized domain, demonstrating the bypass of domain restrictions.

Remediation

Users can update to Astro versions 5.13.2 or 4.16.18 and later. For projects using the Node adapter, ensure to update to version 9.1.1 or later.