CVE-2026-27829
📋 TL;DR
This vulnerability in Astro web framework versions 9.0.0-9.5.3 allows attackers to bypass image domain restrictions when the inferSize option is enabled. Attackers can cause the server to fetch images from arbitrary unauthorized hosts, potentially leading to server-side request forgery (SSRF). Sites using Astro with inferSize enabled and user-controllable image URLs are affected.
💻 Affected Systems
- Astro
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full SSRF exploitation allowing access to internal network services, cloud metadata endpoints, or sensitive internal systems, potentially leading to data exfiltration or further network compromise.
Likely Case
Limited SSRF allowing reconnaissance of internal network services, potential data leakage from accessible endpoints, or denial of service through resource exhaustion.
If Mitigated
No impact if inferSize is disabled or proper input validation prevents attacker-controlled image URLs.
🎯 Exploit Status
Exploitation requires ability to control image URLs (e.g., via CMS, user input, or content injection).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.5.4
Vendor Advisory: https://github.com/withastro/astro/security/advisories/GHSA-cj9f-h6r6-4cx2
Restart Required: Yes
Instructions:
1. Update Astro to version 9.5.4 or later using npm: npm update astro@latest. 2. Restart your Astro development server or production deployment. 3. Verify the update with: npm list astro.
🔧 Temporary Workarounds
Disable inferSize option
allDisable the inferSize functionality to prevent unauthorized remote image fetching
Set inferSize: false in your Astro image configuration
Remove user-controlled image URLs
allValidate and sanitize all image URLs to prevent attacker-controlled inputs
🧯 If You Can't Patch
- Disable inferSize option in all Astro configurations
- Implement strict input validation and sanitization for all image URL inputs
🔍 How to Verify
Check if Vulnerable:
Check if Astro version is between 9.0.0 and 9.5.3 AND inferSize is enabled in configurationCheck Version:
npm list astro | grep astroVerify Fix Applied:
Verify Astro version is 9.5.4 or later and test that image.domains/image.remotePatterns restrictions are enforced with inferSize enabled📡 Detection & Monitoring
Log Indicators:
- Unexpected outbound HTTP requests from Astro server to unusual domains
- Failed image fetch attempts to unauthorized domains
- High volume of image processing requests
Network Indicators:
- Outbound HTTP requests from Astro server to internal IP ranges or cloud metadata endpoints
- Unusual traffic patterns from Astro server to external domains
SIEM Query:
source="astro-server" AND (http_request.method="GET" OR http_request.method="HEAD") AND NOT http_request.uri IN allowed_domains_list