CVE-2026-41321: CWE-918: Server-Side Request Forgery (SSRF) in withastro @astrojs/cloudflare
@astrojs/cloudflare versions prior to 13. 1. 10 contain a Server-Side Request Forgery (SSRF) vulnerability. The issue arises because the fetch() call for remote images follows HTTP redirects by default, allowing redirection to arbitrary URLs. This behavior bypasses the domain allowlist check, which only validates the initial URL, potentially enabling SSRF attacks. This vulnerability is a regression from an incomplete fix for CVE-2025-58179 and has been addressed in version 13. 1. 10.
AI Analysis
Technical Summary
CVE-2026-41321 is a Server-Side Request Forgery (SSRF) vulnerability in the @astrojs/cloudflare package, an SSR adapter for Cloudflare Workers. In versions before 13.1.10, the fetch() function used to retrieve remote images follows HTTP redirects by default ('redirect: follow'), which allows the Cloudflare Worker to be redirected to arbitrary URLs. This redirection bypasses the isRemoteAllowed() domain allowlist check that only validates the initial URL, thus enabling SSRF. The vulnerability is a result of an incomplete fix for a previous SSRF issue (CVE-2025-58179). The vulnerability is fixed in version 13.1.10.
Potential Impact
The vulnerability allows an attacker to cause the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing domain allowlist restrictions. While the CVSS score is low (2.2) and the impact on confidentiality, integrity, and availability is minimal, it could potentially be used to make unauthorized requests from the server environment. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available in version 13.1.10 of @astrojs/cloudflare. Users should upgrade to this version or later to remediate the vulnerability. Since this is a cloud service adapter, the vendor manages remediation for the cloud-hosted service, but upgrading the package in your environment is necessary to ensure protection.
CVE-2026-41321: CWE-918: Server-Side Request Forgery (SSRF) in withastro @astrojs/cloudflare
Description
@astrojs/cloudflare versions prior to 13. 1. 10 contain a Server-Side Request Forgery (SSRF) vulnerability. The issue arises because the fetch() call for remote images follows HTTP redirects by default, allowing redirection to arbitrary URLs. This behavior bypasses the domain allowlist check, which only validates the initial URL, potentially enabling SSRF attacks. This vulnerability is a regression from an incomplete fix for CVE-2025-58179 and has been addressed in version 13. 1. 10.
CVSS v3.1
Score 2.2low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41321 is a Server-Side Request Forgery (SSRF) vulnerability in the @astrojs/cloudflare package, an SSR adapter for Cloudflare Workers. In versions before 13.1.10, the fetch() function used to retrieve remote images follows HTTP redirects by default ('redirect: follow'), which allows the Cloudflare Worker to be redirected to arbitrary URLs. This redirection bypasses the isRemoteAllowed() domain allowlist check that only validates the initial URL, thus enabling SSRF. The vulnerability is a result of an incomplete fix for a previous SSRF issue (CVE-2025-58179). The vulnerability is fixed in version 13.1.10.
Potential Impact
The vulnerability allows an attacker to cause the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing domain allowlist restrictions. While the CVSS score is low (2.2) and the impact on confidentiality, integrity, and availability is minimal, it could potentially be used to make unauthorized requests from the server environment. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available in version 13.1.10 of @astrojs/cloudflare. Users should upgrade to this version or later to remediate the vulnerability. Since this is a cloud service adapter, the vendor manages remediation for the cloud-hosted service, but upgrading the package in your environment is necessary to ensure protection.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T14:01:46.671Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69ebaa0487115cfb685ef424
Added to database: 4/24/2026, 5:36:04 PM
Last enriched: 5/1/2026, 8:42:30 PM
Last updated: 6/7/2026, 4:11:05 PM
Views: 140
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.