Description
This issue concerns Astro’s remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.10.10, < 5.18.1
- Patched version(s): 5.18.1
References
Related Issues
- Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize - CVE-2026-27829
- ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware - CVE-2026-32730
- Parse Server has a protected fields bypass via logical query operators - CVE-2026-30962
- Parse Server has a password reset token single-use bypass via concurrent requests - CVE-2026-32943
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on March 26, 2026