CVE-2026-41321: CWE-918: Server-Side Request Forgery (SSRF) in withastro @astrojs/cloudflare
@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL. This vulnerabiity is caused by an incomplete fix for CVE-2025-58179. This vulnerability is fixed in 13.1.10.
AI Analysis
Technical Summary
@astrojs/cloudflare is an SSR adapter targeting Cloudflare Workers. In versions before 13.1.10, the fetch() call for remote images uses the default redirect behavior ('follow'), which allows HTTP redirects to arbitrary URLs. The domain allowlist check (isRemoteAllowed()) only validates the initial URL and does not account for redirects, enabling SSRF. This vulnerability is a result of an incomplete fix for CVE-2025-58179. The issue is fixed in version 13.1.10. The CVSS v3.1 base score is 2.2, indicating low severity, with network attack vector, high attack complexity, requiring privileges, no user interaction, unchanged scope, and low availability impact.
Potential Impact
The vulnerability allows an attacker with privileges to cause the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing domain allowlist checks. This can lead to limited availability impact but does not affect confidentiality or integrity. There are no known exploits in the wild. The low CVSS score reflects the limited impact and the requirement for privileges to exploit.
Mitigation Recommendations
A patch is available in version 13.1.10 of @astrojs/cloudflare that fixes this SSRF vulnerability by addressing the redirect behavior in fetch() calls. Since this is a cloud service adapter, the vendor manages remediation for the cloud-hosted service. Users should upgrade to version 13.1.10 or later to mitigate this vulnerability. Check the vendor advisory for the latest remediation guidance.
CVE-2026-41321: CWE-918: Server-Side Request Forgery (SSRF) in withastro @astrojs/cloudflare
Description
@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL. This vulnerabiity is caused by an incomplete fix for CVE-2025-58179. This vulnerability is fixed in 13.1.10.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
@astrojs/cloudflare is an SSR adapter targeting Cloudflare Workers. In versions before 13.1.10, the fetch() call for remote images uses the default redirect behavior ('follow'), which allows HTTP redirects to arbitrary URLs. The domain allowlist check (isRemoteAllowed()) only validates the initial URL and does not account for redirects, enabling SSRF. This vulnerability is a result of an incomplete fix for CVE-2025-58179. The issue is fixed in version 13.1.10. The CVSS v3.1 base score is 2.2, indicating low severity, with network attack vector, high attack complexity, requiring privileges, no user interaction, unchanged scope, and low availability impact.
Potential Impact
The vulnerability allows an attacker with privileges to cause the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing domain allowlist checks. This can lead to limited availability impact but does not affect confidentiality or integrity. There are no known exploits in the wild. The low CVSS score reflects the limited impact and the requirement for privileges to exploit.
Mitigation Recommendations
A patch is available in version 13.1.10 of @astrojs/cloudflare that fixes this SSRF vulnerability by addressing the redirect behavior in fetch() calls. Since this is a cloud service adapter, the vendor manages remediation for the cloud-hosted service. Users should upgrade to version 13.1.10 or later to mitigate this vulnerability. Check the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T14:01:46.671Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69ebaa0487115cfb685ef424
Added to database: 4/24/2026, 5:36:04 PM
Last enriched: 4/24/2026, 5:51:17 PM
Last updated: 4/24/2026, 8:26:25 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.