Astro Cloudflare Adapter Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Astro web framework's Cloudflare adapter, prior to version 5.15.9. The issue arises in the image optimization endpoint (/_image) when the output is set to 'server'. The vulnerability is rooted in the isRemoteAllowed() function, which improperly allows data: protocol URLs without validation. This flaw can be exploited by uploading malicious SVG files that execute JavaScript, bypassing domain restrictions and Content Security Policy protections.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user's browser. This could lead to session hijacking, account takeover (especially when combined with Cross-Site Request Forgery), and data exfiltration by stealing sensitive information and sending it to attacker-controlled servers.

Reproduction

To reproduce this vulnerability, create a new Astro project and configure it to use the Cloudflare adapter. Deploy the project to Cloudflare Pages or Workers. Then, upload an SVG file containing a JavaScript payload to a location accessible by the deployed site. Finally, access the SVG file directly, which will trigger the JavaScript execution.

Remediation

Users can update to Astro version 5.15.9 or later, where this vulnerability has been patched. After updating, if data URLs need to be allowed for remote images, the astro.config.mjs file should be updated to include the appropriate remotePatterns configuration.