Skip to content

fix(deps): update dependency @astrojs/cloudflare to v12 [security] #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency @astrojs/cloudflare to v12 [security] #109

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 8, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@astrojs/cloudflare (source) 11.0.4 -> 12.6.6 age confidence

GitHub Vulnerability Alerts

CVE-2025-58179

Summary

When using Astro's Cloudflare adapter (@astrojs/cloudflare) configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint, which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin.

PoC

  1. Create a new minimal Astro project ([email protected])

  2. Configure it to use the Cloudflare adapter (@astrojs/[email protected]) and server output:

    // astro.config.mjs
import { defineConfig } from 'astro/config';
import cloudflare from '@​astrojs/cloudflare';

export default defineConfig({
  output: 'server',
  adapter: cloudflare(),
});

  3. Deploy to Cloudflare Pages or Workers

  4. Append /_image?href=https://placehold.co/600x400 to the deployment URL.

  5. This will serve the placeholder image from the unauthorised placehold.co domain.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized content. This includes the risk of server-side request forgery (SSRF) and by extension cross-site scripting (XSS) if a user follows a link to a maliciously crafted URL.

Release Notes

withastro/astro (@​astrojs/cloudflare)

v12.6.6

Compare Source

Patch Changes

v12.6.5

Compare Source

Patch Changes

v12.6.4

Compare Source

Patch Changes

v12.6.3

Compare Source

Patch Changes

  • #​14066 7abde79 Thanks @​alexanderniebuhr! - Refactors the internal solution which powers Astro Sessions when running local development with ˋastro devˋ.

    The adapter now utilizes Cloudflare's local support for Cloudflare KV. This internal change is a drop-in replacement and does not require any change to your projectct code.

    However, you now have the ability to connect to the remote Cloudflare KV Namespace if desired and use production data during local development.

  • Updated dependencies []:

v12.6.2

Compare Source

Patch Changes

v12.6.1

Compare Source

Patch Changes

v12.6.0

Compare Source

Minor Changes

  • #​13837 7cef86f Thanks @​alexanderniebuhr! - Adds new configuration options to allow you to set a custom workerEntryPoint for Cloudflare Workers. This is useful if you want to use features that require handlers (e.g. Durable Objects, Cloudflare Queues, Scheduled Invocations) not supported by the basic generic entry file.

    This feature is not supported when running the Astro dev server. However, you can run astro build followed by either wrangler deploy (to deploy it) or wrangler dev to preview it.

    The following example configures a custom entry file that registers a Durable Object and a queue handler:

    // astro.config.ts
import cloudflare from '@​astrojs/cloudflare';
import { defineConfig } from 'astro/config';

export default defineConfig({
  adapter: cloudflare({
    workerEntryPoint: {
      path: 'src/worker.ts',
      namedExports: ['MyDurableObject'],
    },
  }),
});
    // src/worker.ts
import type { SSRManifest } from 'astro';

import { App } from 'astro/app';
import { handle } from '@​astrojs/cloudflare/handler';
import { DurableObject } from 'cloudflare:workers';

class MyDurableObject extends DurableObject<Env> {
  constructor(ctx: DurableObjectState, env: Env) {
    super(ctx, env);
  }
}

export function createExports(manifest: SSRManifest) {
  const app = new App(manifest);
  return {
    default: {
      async fetch(request, env, ctx) {
        await env.MY_QUEUE.send('log');
        return handle(manifest, app, request, env, ctx);
      },
      async queue(batch, _env) {
        let messages = JSON.stringify(batch.messages);
        console.log(`consumed from our queue: ${messages}`);
      },
    } satisfies ExportedHandler<Env>,
    MyDurableObject,
  };
}
Patch Changes

v12.5.5

Compare Source

Patch Changes

v12.5.4

Compare Source

Patch Changes

v12.5.3

Compare Source

Patch Changes

v12.5.2

Compare Source

Patch Changes

v12.5.1

Compare Source

Patch Changes

v12.5.0

Compare Source

Minor Changes

  • #​13527 2fd6a6b Thanks @​ascorbic! - The experimental session API introduced in Astro 5.1 is now stable and ready for production use.

    Sessions are used to store user state between requests for on-demand rendered pages. You can use them to store user data, such as authentication tokens, shopping cart contents, or any other data that needs to persist across requests:

v12.4.1

Compare Source

Patch Changes

v12.4.0

Compare Source

Minor Changes

  • #​13514 a9aafec Thanks @​ascorbic! - Automatically configures Cloudflare KV storage when experimental sessions are enabled

    If the experimental.session flag is enabled when using the Cloudflare adapter, Astro will automatically configure the session storage using the Cloudflare KV driver. You can still manually configure the session storage if you need to use a different driver or want to customize the session storage configuration. If you want to use sessions, you will need to create the KV namespace and declare it in your wrangler config. You can do this using the Wrangler CLI:

    npx wrangler kv namespace create SESSION

    This will log the id of the created namespace. You can then add it to your wrangler.json/wrangler.toml file like this:

    // wrangler.json
{
  "kv_namespaces": [
    {
      "binding": "SESSION",
      "id": "<your kv namespace id here>",
    },
  ],
}

    By default it uses the binding name SESSION, but if you want to use a different binding name you can do so by passing the sessionKVBindingName option to the adapter. For example:

    import { defineConfig } from 'astro/config';
import cloudflare from '@&#8203;astrojs/cloudflare';
export default defineConfig({
  output: 'server',
  site: `http://example.com`,
  adapter: cloudflare({
    platformProxy: {
      enabled: true,
    },
    sessionKVBindingName: 'MY_SESSION',
  }),
  experimental: {
    session: true,
  },
});

    See the Cloudflare KV docs for more details on setting up KV namespaces.

    See the experimental session docs for more information on configuring session storage.

Patch Changes

v12.3.1

Compare Source

Patch Changes

v12.3.0

Compare Source

Minor Changes
Patch Changes

v12.2.4

Compare Source

Patch Changes

v12.2.3

Compare Source

Patch Changes

v12.2.2

Patch Changes

v12.2.1

Patch Changes

v12.2.0

Minor Changes
Patch Changes

v12.1.0

Minor Changes
  • #​455 1d4e6fc Thanks @​meyer! - Adds wrangler.jsonc to the default watched config files. If a config file is specified in platformProxy.configPath, that file location is watched instead of the defaults.
Patch Changes

v12.0.1

Patch Changes
  • #​465 70e0054 Thanks @​bluwy! - Fixes setting custom workerd and worker conditions for the ssr environment only

v12.0.0

Major Changes

  • #​367 e02b54a Thanks @​alexanderniebuhr! - Removed support for the Squoosh image service. As the underlying library libsquoosh is no longer maintained, and the image service sees very little usage we have decided to remove it from Astro.

    Our recommendation is to use the base Sharp image service, which is more powerful, faster, and more actively maintained.

    - import { squooshImageService } from "astro/config";
import { defineConfig } from "astro/config";

export default defineConfig({
-  image: {
-    service: squooshImageService()
-  }
});

    If you are using this service, and cannot migrate to the base Sharp image service, a third-party extraction of the previous service is available here: https://github.com/Princesseuh/astro-image-service-squoosh

  • #​367 e02b54a Thanks @​alexanderniebuhr! - Deprecates the functionPerRoute option

    This option is now deprecated, and will be removed entirely in Astro v5.0. We suggest removing this option from your configuration as soon as you are able to:

    import { defineConfig } from 'astro/config';
import vercel from '@&#8203;astrojs/vercel/serverless';

export default defineConfig({
  // ...
  output: 'server',
  adapter: vercel({
-     functionPerRoute: true,
  }),
});

  • #​375 e7881f7 Thanks @​Princesseuh! - Updates internal code to works with Astro 5 changes to hybrid rendering. No changes are necessary to your project, apart from using Astro 5

  • #​397 776a266 Thanks @​Princesseuh! - Welcome to the Astro 5 beta! This release has no changes from the latest alpha of this package, but it does bring us one step closer to the final, stable release.

    Starting from this release, no breaking changes will be introduced unless absolutely necessary.

    To learn how to upgrade, check out the Astro v5.0 upgrade guide in our beta docs site.

  • #​451 f248546 Thanks @​ematipico! - Updates esbuild dependency to v0.24.0

  • #​392 3a49eb7 Thanks @​Princesseuh! - Updates internal code for Astro 5 changes. No changes is required to your project, apart from using Astro 5

Patch Changes

v11.2.0

Minor Changes
  • #​423 169ac24 Thanks @​schummar! - Changes the logic which generates the _routes.json file to improve generation for projects with many static pages, while still making sure all routes work as expected.
Patch Changes
  • #​409 d63bed8 Thanks @​alexanderniebuhr! - Fixes an issue where cloudflare: scoped imports made the build fail. We externalize all imports with the cloudflare: scope by default now.

v11.1.0

Minor Changes

v11.0.5

Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-astrojs-cloudflare-vulnerability branch from 7b66915 to 96fda4b Compare September 25, 2025 20:44
@renovate renovate bot force-pushed the renovate/npm-astrojs-cloudflare-vulnerability branch from 96fda4b to 3a1c469 Compare October 21, 2025 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant