CVE-2025-65019: 
JavaScript vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-65019) was discovered in Astro's Cloudflare adapter (@astrojs/cloudflare) affecting versions below 5.15.9. The vulnerability exists in the /_image endpoint when using output: 'server' configuration, where the isRemoteAllowed() function incorrectly allows data: protocol URLs without proper validation. This vulnerability was disclosed on November 19, 2025, and has been patched in version 5.15.9 (GitHub Advisory).

The vulnerability stems from a flaw in the isRemoteAllowed() function located in packages/internal-helpers/src/remote.ts. The function unconditionally allows all data: protocol URLs without any validation or sanitization, bypassing domain restrictions and Content Security Policy protections. The vulnerability has been assigned a CVSS score of 5.4 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (GitHub Advisory).

The vulnerability can lead to several serious security implications including: Stored Cross-Site Scripting (XSS) allowing execution of malicious JavaScript in victims' browsers, potential session hijacking through access to cookies and session tokens, possible account takeover when combined with CSRF attacks, and data exfiltration where sensitive information can be stolen and transmitted to attacker-controlled servers (GitHub Advisory).

The vulnerability has been patched in version 5.15.9 of the package. Users should upgrade to this version or later. For those who need to use data URIs for remote images, they must explicitly authorize them by updating their astro.config.mjs file to include specific remotePatterns configuration that allows the data protocol (GitHub Advisory, Astro Commit).