CVE-2026-27829

HIGH EPSS 19.8%
Published Feb 26, 20264mo ago · Modified Jun 17, 20262w ago
7.2 CVSS 3.1
High
Find Similar
Published Feb 26, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the `image.domains` or `image.remotePatterns` options). However, when `inferSize` is used, no domain validation is performed — the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplied data) can cause the server to fetch from arbitrary hosts. This allows bypassing `image.domains` / `image.remotePatterns` restrictions to make server-side requests to unauthorized hosts. This includes the risk of server-side request forgery (SSRF) against internal network services and cloud metadata endpoints. Version 9.5.4 fixes the issue.

CVSS Details

Base Score
7.2
Exploitability
3.9
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality None
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
19.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 1

VendorProductVersionRange
astro\@astrojs\/node*≥9.0.0  –  <9.5.4

References 2

  • github.com https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9
    Patch
  • github.com https://github.com/withastro/astro/security/advisories/GHSA-cj9f-h6r6-4cx2
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9
    Patch