Description

Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the `image.domains` or `image.remotePatterns` options). However, when `inferSize` is used, no domain validation is performed — the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplied data) can cause the server to fetch from arbitrary hosts. This allows bypassing `image.domains` / `image.remotePatterns` restrictions to make server-side requests to unauthorized hosts. This includes the risk of server-side request forgery (SSRF) against internal network services and cloud metadata endpoints. Version 9.5.4 fixes the issue.

INFO

Published Date :

2026-02-26T00:36:40.497Z

Last Modified :

2026-02-26T16:21:44.676Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27829 vulnerability.

Vendors Products
Astro
  • \@astrojs\/node
Withastro
  • Astro
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27829.

URL Resource
https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9 cve-icon cve-icon
https://github.com/withastro/astro/security/advisories/GHSA-cj9f-h6r6-4cx2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact