@astrojs/internal-helpers 0.0.0-non-admin-test-20240308195029 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @astrojs/internal-helpers package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) @astrojs/internal-helpers is an Internal helpers used by core Astro packages. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `/_image` endpoint. An attacker can access internal or unauthorized resources by submitting crafted URLs to the generated image optimization endpoint configured with `output: server` and utilizing default `imageService: compile`. Note: This was partially fixed by the patch for CVE-2025-58179. That fix blocks `http://`, `https://` and `//`, but can be bypassed using backslashes (`\`); the endpoint still issues a server-side fetch. How to fix Server-side Request Forgery (SSRF)? Upgrade `@astrojs/internal-helpers` to version 0.7.3 or higher.	<0.7.3
M Cross-site Scripting (XSS) @astrojs/internal-helpers is an Internal helpers used by core Astro packages. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `/_image` endpoint. An attacker can cause loading of unauthorized third-party images, including potentially malicious SVG files, to be served by bypassing domain restrictions using protocol-relative URLs. This can lead to the execution of arbitrary scripts in the context of the affected site if a user follows a crafted link. Note: This vulnerability is only exploitable in projects using the `@astrojs/node` adapter and on-demand rendering. How to fix Cross-site Scripting (XSS)? Upgrade `@astrojs/internal-helpers` to version 0.7.2 or higher.	<0.7.2

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

@astrojs/internal-helpers is an Internal helpers used by core Astro packages.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the /_image endpoint. An attacker can access internal or unauthorized resources by submitting crafted URLs to the generated image optimization endpoint configured with output: server and utilizing default imageService: compile.

Note:

This was partially fixed by the patch for CVE-2025-58179. That fix blocks http://, https:// and //, but can be bypassed using backslashes (\); the endpoint still issues a server-side fetch.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @astrojs/internal-helpers to version 0.7.3 or higher.

<0.7.3

Cross-site Scripting (XSS)

@astrojs/internal-helpers is an Internal helpers used by core Astro packages.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the /_image endpoint. An attacker can cause loading of unauthorized third-party images, including potentially malicious SVG files, to be served by bypassing domain restrictions using protocol-relative URLs. This can lead to the execution of arbitrary scripts in the context of the affected site if a user follows a crafted link.

Note: This vulnerability is only exploitable in projects using the @astrojs/node adapter and on-demand rendering.

How to fix Cross-site Scripting (XSS)?

Upgrade @astrojs/internal-helpers to version 0.7.2 or higher.

<0.7.2

@astrojs/internal-helpers@0.0.0-non-admin-test-20240308195029 vulnerabilities

Internal helpers used by core Astro packages.

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically