7 matches found
Server-side Request Forgery (SSRF)
Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the inferSize option that fetches remote images at render time to determine their dimensions. An...
CVE-2026-27829
Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an inferSize option that fetches remote images at rend...
CVE-2026-27829
Astro versions 9.0.0–9.5.3 contain a bug in the image pipeline where inferSize fetches remote images at render time without validating domains, allowing SSRF by fetching from arbitrary hosts despite image.domains/image.remotePatterns restrictions. An attacker who can influence the image URL (e.g....
CVE-2026-27829 Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an inferSize option that fetches remote images at rend...
GHSA-CJ9F-H6R6-4CX2 Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
Summary A bug in Astro's image pipeline allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts. Details Astro provides an inferSize option that fetches remote images at render time to determine their dimensions. Remo...
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
Summary A bug in Astro's image pipeline allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts. Details Astro provides an inferSize option that fetches remote images at render time to determine their dimensions. Remo...
PT-2026-22062
Name of the Vulnerable Software and Affected Versions Astro versions 9.0.0 through 9.5.3 Description Astro’s image pipeline contains a flaw that allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts. The inferSize...