CVE-2026-33769

Low CVSS: 2.9

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1.

Vendor

Astro

Product

Astro

CWE

CWE-20

Yayın Tarihi

2026-03-24 19:16:55

Güncelleme

2026-03-26 12:04:56

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-20 Astro LOW Astro 2026

Referanslar

https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f

Benzer Kayıtlar

Medium

CVE-2026-33768

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path head…

Medium

CVE-2026-29772

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full reque…

Medium

CVE-2026-27829

Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domai…

Medium

CVE-2026-27729

Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit,…

Medium

CVE-2026-25545

Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered cus…

Medium

CVE-2025-66202

Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated a…