Pho9Ubenaa

**Name of the Vulnerable Software and Affected Versions** Astro versions 9.0.0 through 9.5.3 **Description** Astro’s image pipeline contains a flaw that allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. The `inferSize` option, used to determine image dimensions at render time, does not perform domain validation when active, allowing image fetches from any host regardless of configured restrictions. An attacker influencing the image URL, such as through CMS content or user-supplied data, can cause the server to fetch from arbitrary hosts, potentially leading to server-side request forgery (SSRF) against internal network services and cloud metadata endpoints. The API endpoint used for image fetching is not explicitly mentioned. The variable `src` within the `getImage` function is used to specify the image URL. **Recommendations** Update to Astro version 9.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** Astro versions 9.0.0 through 9.5.3 **Description** Astro server actions lack a default request body size limit, potentially leading to a denial of service (DoS) due to memory exhaustion. A large POST request to a valid action endpoint can crash the server process, particularly on deployments with limited memory. The vulnerability occurs because Astro automatically parses incoming request bodies (JSON or FormData) into memory without any size restrictions. This allows an attacker to send an oversized request, exhausting the process heap and causing the server to crash. In containerized environments, this can result in a persistent crash-restart loop. The vulnerability is exploitable without authentication, as action names are discoverable from HTML form attributes on public pages. **Recommendations** Update to Astro version 9.5.4 or later.