CVE-2026-27829
published 2026-02-26CVE-2026-27829: Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns`…
PriorityP347high7.2CVSS 3.1
AVNACLPRNUINSCCNILAL
EPSS
0.28%
19.8th percentile
Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the `image.domains` or `image.remotePatterns` options). However, when `inferSize` is used, no domain validation is performed — the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplied data) can cause the server to fetch from arbitrary hosts. This allows bypassing `image.domains` / `image.remotePatterns` restrictions to make server-side requests to unauthorized hosts. This includes the risk of server-side request forgery (SSRF) against internal network services and cloud metadata endpoints. Version 9.5.4 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astro | astrojs_node | >= 9.0.0 < 9.5.4 | 9.5.4 |
| astrojs | node | >= 9.0.0 < 9.5.4 | 9.5.4 |
| withastro | astro | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
osv·2026-02-25
CVE-2026-27829 [MEDIUM] Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
## Summary
A bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts.
## Details
Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the `image.domains` or `image.remotePatterns` options).
However, when `inferSize` is used, no domain validation is performed — the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplie
GHSA
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
ghsa·2026-02-25
CVE-2026-27829 [MEDIUM] CWE-918 Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
## Summary
A bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts.
## Details
Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the `image.domains` or `image.remotePatterns` options).
However, when `inferSize` is used, no domain validation is performed — the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplie
No detection rules found.
No public exploits indexed.
2026-02-26
Published