What is the CVSS score of CVE-2025-58179?

CVE-2025-58179 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.3%.

Which versions of Astrojs Cloudflare are affected by CVE-2025-58179?

Organizations using Astro face moderate risk from CVE-2025-58179, a server-side request forgery vulnerability rated CVSS 7.2.. A patch is available.

Is there a public PoC exploit available for CVE-2025-58179?

Yes, a public proof-of-concept exploit is available for CVE-2025-58179. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2025-58179?

Within 30 days: Identify all affected systems and apply vendor patches as part of regular patch cycle. Implement egress filtering and URL validation for server-side requests.

Astrojs Cloudflare CVE-2025-58179

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2025-09-05 security-advisories@github.com

SSRF Astrojs Cloudflare

7.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:10 vuln.today

Patch released

Mar 28, 2026 - 19:10 nvd

Patch available

PoC Detected

Dec 22, 2025 - 20:08 vuln.today

Public exploit code

CVE Published

Sep 05, 2025 - 00:15 nvd

HIGH 7.2

DescriptionGitHub Advisory

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served. a A bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin. This issue is fixed in version 12.6.6.

AnalysisAI

Astro is a web framework for content-driven websites. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served. a A bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin. This issue is fixed in version 12.6.6. Affected products include: Astro \@Astrojs\/Cloudflare. Version information: through 12.6.5.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

CVE-2025-58179 vulnerability details – vuln.today

Back

Astrojs Cloudflare CVE-2025-58179

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code