CVE-2026-33769
Astro: Remote allowlist bypass via unanchored matchPathname wildcard
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1.
| CWE | CWE-20 |
| Vendor | withastro |
| Product | astro |
| Published | Mar 24, 2026 |
| Last Updated | Mar 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for withastro astro
Be the first to know when new unknown vulnerabilities affecting withastro astro are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
withastro / astro
>= 2.10.10, < 5.18.1