Low severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026
Astro: Remote allowlist bypass via unanchored matchPathname wildcard
CVE-2026-33769
Description
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
astronpm | >= 2.10.10, < 5.18.1 | 5.18.1 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-g735-7g2w-hh3fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33769ghsaADVISORY
- github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.