CVE-2026-41321

LOW SEVERITY

CVSS Score & Metrics

Base Score

2.2 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L                                    

Vulnerability Description

@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed() domain allowlist check which only validates the initial URL. This vulnerabiity is caused by an incomplete fix for CVE-2025-58179. This vulnerability is fixed in 13.1.10.

Vulnerability Details

Published Date

April 23, 2026

Last Modified

April 27, 2026

CWE ID

CWE-918

Source

GitHub

Vendor

npm

Product

@astrojs/cloudflare

External References

https://github.com/withastro/astro/security/advisories/GHSA-88gm-j2wx-58h6
https://github.com/withastro/astro/commit/a43eb4b40b4f81530e3c9b5e2959495900320433
https://github.com/advisories/GHSA-qpr4-c339-7vq8
https://github.com/withastro/astro/releases/tag/%40astrojs%2Fcloudflare%4013.1.10
https://github.com/advisories/GHSA-88gm-j2wx-58h6

CVE-2026-41321

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment