Description
This issue concerns Astro’s remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.10.10, < 5.18.1
- Patched version(s): 5.18.1
References
Related Issues
- FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass - CVE-2026-43947
- paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - paperclipai - CVE-2026-41679
- paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - CVE-2026-41679
- Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching - CVE-2026-46341
You might also like:
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on March 26, 2026