{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33769", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.127Z", "datePublished": "2026-03-24T18:44:29.169Z", "dateUpdated": "2026-03-24T20:13:25.845Z"}, "containers": {"cna": {"title": "Astro: Remote allowlist bypass via unanchored matchPathname wildcard", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f"}], "affected": [{"vendor": "withastro", "product": "astro", "versions": [{"version": ">= 2.10.10, < 5.18.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:44:29.169Z"}, "descriptions": [{"lang": "en", "value": "Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1."}], "source": {"advisory": "GHSA-g735-7g2w-hh3f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T20:13:00.226310Z", "id": "CVE-2026-33769", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T20:13:25.845Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33769", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T20:13:00.226310Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T20:13:11.332Z"}}], "cna": {"title": "Astro: Remote allowlist bypass via unanchored matchPathname wildcard", "source": {"advisory": "GHSA-g735-7g2w-hh3f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.9, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "withastro", "product": "astro", "versions": [{"status": "affected", "version": ">= 2.10.10, < 5.18.1"}]}], "references": [{"url": "https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f", "name": "https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T18:44:29.169Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33769", "state": "PUBLISHED", "dateUpdated": "2026-03-24T20:13:25.845Z", "dateReserved": "2026-03-23T18:30:14.127Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T18:44:29.169Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "EE364D43-7BD4-435E-8B16-A41D16676555", "versionEndExcluding": "5.18.1", "versionStartIncluding": "2.10.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1."}, {"lang": "es", "value": "Astro es un framework web. Desde la versi\u00f3n 2.10.10 hasta antes de la versi\u00f3n 5.18.1, este problema concierne la aplicaci\u00f3n de rutas de remotePatterns de Astro para URLs remotas utilizadas por capturadores del lado del servidor, como el endpoint de optimizaci\u00f3n de im\u00e1genes. La l\u00f3gica de coincidencia de rutas para comodines /* no est\u00e1 anclada, por lo que un nombre de ruta que contenga el prefijo permitido m\u00e1s adelante en la ruta a\u00fan puede coincidir. Como resultado, un atacante puede obtener rutas fuera del prefijo permitido previsto en un host que de otro modo estar\u00eda permitido. Este problema ha sido parcheado en la versi\u00f3n 5.18.1."}], "id": "CVE-2026-33769", "lastModified": "2026-03-26T12:04:56.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T19:16:55.837", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.10.10,5.18.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "astro", "source": "cna", "vendor": "withastro"}, "product": "astro", "vendor": "withastro"}], "analysis": {"en": {"generated_at": "2026-03-26T14:58:56.754914+00:00", "value": {"mitigation_remediation": ["Upgrade Astro to version 5.18.1 or later", "Verify that remotePatterns configurations include only the intended prefixes", "If upgrading is not immediately possible, restrict exposure of image optimization or fetch endpoints to trusted traffic", "Monitor logs for abnormal remote fetch attempts"], "summary": {"action": "Upgrade", "impact": "Unauthorized Remote Resource Fetch"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Astro web framework from the vendor withastro:astro. It is present in releases from 2.10.10 up to, but not including, 5.18.1. All Node.js environments that run Astro are impacted, because the flaw resides in the framework rather than the underlying runtime. Users running any of these Astro versions should be aware that their remote resource fetch endpoints could be abused.", "description_and_impact": "Astro implements remote pattern allowlists for server\u2011side fetchers, such as the image optimization endpoint. In versions 2.10.10 through 5.18.0 the wildcard logic that matches a pathname is unanchored, meaning a request path that contains the permitted prefix later in the URL can still satisfy the rule. Consequently, an attacker can craft a URL that points to a resource outside the intended prefix on an otherwise allowed host, enabling unauthorized retrieval of remote content. This flaw exposes the application to inadvertent data leakage but does not lead to code execution or privilege escalation.", "risk_and_exploitability": "The CVSS score of 2.9 indicates a low severity, and the EPSS score is below 1\u202f%, suggesting a very low probability that attackers will target this flaw in the near term. The vulnerability is not listed in the KEV catalog, which means no confirmed exploit activity has been reported. Exploitation requires sending malicious requests to an Astro application that uses the affected image optimization or fetch resolution features with unfiltered remotePatterns. Thus, the likely attack vector is remote, via crafted URLs to a public endpoint. While the impact is limited to unauthorized data access, the flaw still calls for mitigation to prevent potential data leakage."}}}}, "created": "2026-03-25T11:46:30.520127+00:00", "updated": "2026-03-27T09:20:46.546308+00:00", "vendors": ["withastro", "withastro$PRODUCT$astro"]}