CVE-2026-27829

Name of the Vulnerable Software and Affected Versions Astro versions 9.0.0 through 9.5.3

Description Astro’s image pipeline contains a flaw that allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts. The inferSize option, used to determine image dimensions at render time, does not perform domain validation when active, allowing image fetches from any host regardless of configured restrictions. An attacker influencing the image URL, such as through CMS content or user-supplied data, can cause the server to fetch from arbitrary hosts, potentially leading to server-side request forgery (SSRF) against internal network services and cloud metadata endpoints. The API endpoint used for image fetching is not explicitly mentioned. The variable src within the getImage function is used to specify the image URL.

Recommendations Update to Astro version 9.5.4 or later.