@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config

Vulnerability

The @astrojs/netlify adapter (version 7.0.10 and likely earlier) converts Astro's image.remotePatterns configuration into Netlify Image CDN images.remote_images regular expressions with broader semantics than Astro's canonical matcher [1][2]. For a hostname wildcard like *.example.com, the adapter emits ([a-z0-9-]+\.)?example\.com, making the subdomain optional so the apex host matches. For a pathname wildcard like /ok/*, the adapter emits a segment regex without end anchoring, so deeper paths (e.g., /ok/a/b.svg) match by prefix. The broadened patterns are written into .netlify/v1/config.json during the build [1][2].

Exploitation

An attacker with network access to the Netlify Image CDN endpoint (e.g., /.netlify/images) can craft a URL that passes the broadened regex but is rejected by Astro's stricter helper [1][2]. For example, using the apex host localhost instead of a subdomain for a pattern *.localhost, or requesting a deeper path like /ok/a/b.svg for a pattern /ok/*. No authentication is required if the image endpoint is publicly accessible. The attacker simply sends a GET request to /.netlify/images?url= with the malicious URL [1][2].

Impact

Successful exploitation allows an attacker to fetch remote images from unintended origins or paths, potentially leading to information disclosure (e.g., fetching internal resources if the server can reach them) or server-side request forgery (SSRF) via the image CDN's fetch mechanism [1][2]. The compromise is limited to image retrieval but could expose sensitive data or internal services.

Mitigation

As of the publication date (2026-06-16), no patched version of @astrojs/netlify has been released [1][2]. Users should monitor the advisory for updates and apply a fix once available. As a workaround, avoid using wildcard patterns in image.remotePatterns (e.g., use explicit hostnames and paths) or manually adjust the generated regex in .netlify/v1/config.json to match Astro's stricter semantics. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.