{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27829", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.800Z", "datePublished": "2026-02-26T00:36:40.497Z", "dateUpdated": "2026-02-26T16:21:44.676Z"}, "containers": {"cna": {"title": "Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/withastro/astro/security/advisories/GHSA-cj9f-h6r6-4cx2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-cj9f-h6r6-4cx2"}, {"name": "https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9", "tags": ["x_refsource_MISC"], "url": "https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9"}], "affected": [{"vendor": "withastro", "product": "astro", "versions": [{"version": ">= 9.0.0, < 9.5.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:36:40.497Z"}, "descriptions": [{"lang": "en", "value": "Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the `image.domains` or `image.remotePatterns` options). However, when `inferSize` is used, no domain validation is performed \u2014 the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplied data) can cause the server to fetch from arbitrary hosts. This allows bypassing `image.domains` / `image.remotePatterns` restrictions to make server-side requests to unauthorized hosts. This includes the risk of server-side request forgery (SSRF) against internal network services and cloud metadata endpoints. Version 9.5.4 fixes the issue."}], "source": {"advisory": "GHSA-cj9f-h6r6-4cx2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T16:21:28.348418Z", "id": "CVE-2026-27829", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:21:44.676Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:astro:\\@astrojs\\/node:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "4544AFCE-A719-4079-859C-E356B5871A4C", "versionEndExcluding": "9.5.4", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the `image.domains` or `image.remotePatterns` options). However, when `inferSize` is used, no domain validation is performed \u2014 the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplied data) can cause the server to fetch from arbitrary hosts. This allows bypassing `image.domains` / `image.remotePatterns` restrictions to make server-side requests to unauthorized hosts. This includes the risk of server-side request forgery (SSRF) against internal network services and cloud metadata endpoints. Version 9.5.4 fixes the issue."}, {"lang": "es", "value": "Astro es un framework web. En las versiones 9.0.0 a 9.5.3, un error en la pipeline de im\u00e1genes de Astro permite eludir las restricciones de `image.domains` / `image.remotePatterns`, lo que permite al servidor obtener contenido de hosts remotos no autorizados. Astro proporciona una opci\u00f3n `inferSize` que obtiene im\u00e1genes remotas en el momento de la renderizaci\u00f3n para determinar sus dimensiones. La obtenci\u00f3n de im\u00e1genes remotas est\u00e1 destinada a restringirse a dominios que el desarrollador del sitio ha autorizado manualmente (utilizando las opciones `image.domains` o `image.remotePatterns`). Sin embargo, cuando se utiliza `inferSize`, no se realiza ninguna validaci\u00f3n de dominio \u2014 la imagen se obtiene de cualquier host independientemente de las restricciones configuradas. Un atacante que puede influir en la URL de la imagen (por ejemplo, a trav\u00e9s de contenido de CMS o datos proporcionados por el usuario) puede hacer que el servidor obtenga contenido de hosts arbitrarios. Esto permite eludir las restricciones de `image.domains` / `image.remotePatterns` para realizar peticiones del lado del servidor a hosts no autorizados. Esto incluye el riesgo de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) contra servicios de red internos y puntos finales de metadatos en la nube. La versi\u00f3n 9.5.4 corrige el problema."}], "id": "CVE-2026-27829", "lastModified": "2026-03-09T20:47:35.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-26T01:16:24.390", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-cj9f-h6r6-4cx2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.5.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "astro", "source": "cna", "vendor": "withastro"}, "product": "astro", "vendor": "withastro"}], "created": "2026-02-26T13:10:19.550092+00:00", "updated": "2026-02-26T13:10:19.550210+00:00", "vendors": ["withastro", "withastro$PRODUCT$astro"]}