Skip to content

Commit fdbddbc

Browse files
1 parent 3b56f53 commit fdbddbc

2 files changed

Lines changed: 115 additions & 0 deletions

File tree

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2pvr-wf23-7pc7",
4+
"modified": "2026-06-16T14:38:06Z",
5+
"published": "2026-06-16T14:38:06Z",
6+
"aliases": [
7+
"CVE-2026-54299"
8+
],
9+
"summary": "Astro: Host header SSRF in prerendered error page fetch",
10+
"details": "## Summary\n\nAstro SSR apps with prerendered error pages (`/404` or `/500` using `export const prerender = true`) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from `request.url`, which in turn gets its origin from the incoming `Host` header. When the `Host` header is not validated against `allowedDomains`, an attacker can point the fetch at an arbitrary host and read the response.\n\n## Who is affected\n\nThis affects SSR deployments that:\n\n1. Have a prerendered 404 or 500 page\n2. Use `createRequestFromNodeRequest` from `astro/app/node` with `app.render()` **without** overriding `prerenderedErrorPageFetch` — this includes custom servers built on the public API and third-party adapters\n\n**Not affected:**\n- `@astrojs/node` >= 9.5.4 (reads error pages from disk)\n- `@astrojs/cloudflare` (uses the ASSETS binding)\n- The dev server (renders error pages in-process)\n\n## How it works\n\n`createRequestFromNodeRequest` builds `request.url` from the raw `Host` / `:authority` header. The `allowedDomains` option is accepted but only gates `X-Forwarded-For` — it does not constrain the URL origin. (The public `createRequest` does fall back to `localhost` for unvalidated hosts; this internal builder did not.)\n\nWhen `app.render()` encounters a 404 or 500 with a prerendered error route, `default-handler.ts` constructs the error page URL using the origin from `request.url` and fetches it via `prerenderedErrorPageFetch`, which defaults to global `fetch`. The response body is served to the client.\n\nAn attacker sends a request with `Host: attacker-host:port`, triggers an error (e.g., requesting a nonexistent path for a 404), and receives the response from the attacker-controlled host reflected back.\n\n## Remediation\n\nThe error page fetch origin is now validated against `allowedDomains` before use. When the host is validated, the original origin is preserved. Otherwise, it falls back to `localhost`. The fetch is also wrapped in a try/catch so that connection failures degrade gracefully to a plain error response.\n\n## Credit\n\n5ud0 / Tarmo Technologies",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "astro"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "6.4.6"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/withastro/astro/security/advisories/GHSA-2pvr-wf23-7pc7"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/withastro/astro"
46+
}
47+
],
48+
"database_specific": {
49+
"cwe_ids": [
50+
"CWE-20",
51+
"CWE-918"
52+
],
53+
"severity": "HIGH",
54+
"github_reviewed": true,
55+
"github_reviewed_at": "2026-06-16T14:38:06Z",
56+
"nvd_published_at": null
57+
}
58+
}
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-529g-xq4f-cw38",
4+
"modified": "2026-06-16T14:37:33Z",
5+
"published": "2026-06-16T14:37:33Z",
6+
"aliases": [
7+
"CVE-2026-54300"
8+
],
9+
"summary": "@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config",
10+
"details": "## Summary\n\n`@astrojs/netlify` converts Astro `image.remotePatterns` into Netlify Image CDN `images.remote_images` regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as `*.example.com` is converted to an optional subdomain regex, so the apex host matches. A single wildcard pathname such as `/ok/*` is converted without end anchoring, so deeper paths match by prefix.\n\n## Technical details\n\nThe Netlify adapter generates regex strings for Netlify Image CDN from `image.remotePatterns`. For `*.example.com`, it emits `([a-z0-9-]+\\\\.)?example\\\\.com`, which makes the subdomain optional. Astro's canonical helper requires exactly one subdomain and rejects the apex host.\n\nFor `/ok/*`, the adapter emits a segment regex but does not anchor the end of the URL. Netlify's Image CDN implementation treats `images.remote_images` entries as JavaScript regular expressions and calls `.test(sourceImageUrl.href)`, so a URL such as `/ok/a/b.svg` matches the `/ok/a` prefix even though Astro's helper rejects it.\n\nThe latest npm package `@astrojs/netlify@7.0.10` contains this conversion logic, and a minimal Astro build writes the broadened patterns into `.netlify/v1/config.json`.\n\n## Reproduction\n\n1. Create an Astro app using `astro@6.3.8` and `@astrojs/netlify@7.0.10`.\n2. Configure Netlify output and a restrictive image pattern, for example `remotePatterns: [{ protocol: 'http', hostname: '*.localhost', pathname: '/ok/*' }]`.\n3. Build the app and observe that `.netlify/v1/config.json` contains `http://([a-z0-9-]+\\\\.)?localhost(:[0-9]+)?(\\\\/ok/[^/?#]+)/?([?][^#]*)?`.\n4. Serve a canary SVG on `127.0.0.1:9001`.\n5. Request `/.netlify/images?url=http%3A%2F%2Flocalhost%3A9001%2Fok%2Fa.svg&w=100`. Astro's helper rejects the apex `localhost` for `*.localhost`, but Netlify Image CDN accepts it and fetches the canary.\n6. As a negative control, request `/.netlify/images?url=http%3A%2F%2Flocalhost%3A9001%2Fnope%2Fa.svg&w=100`. This returns `403 Forbidden: Remote image URL not allowed` and does not hit the canary.\n7. Request `/.netlify/images?url=http%3A%2F%2Flocalhost%3A9001%2Fok%2Fa%2Fb.svg&w=100`. Astro's `/ok/*` helper rejects this deeper path, but Netlify Image CDN accepts it and fetches the canary.\n\n## Impact\n\nAny Astro app deployed with `@astrojs/netlify` and a restrictive `image.remotePatterns` config can expose a wider image-fetch boundary than intended. Public requests to the Netlify Image CDN endpoint can fetch URLs that Astro's own matcher would reject, including apex hosts for `*.host` patterns and deeper paths for `/path/*` patterns. The practical impact depends on what the application intended to isolate behind the remote image allowlist, but it can disclose image-like resources from unintended hosts or paths behind the same configured remote origin family.\n\n## Remediation\n\nGenerate regexes that exactly match Astro's canonical `matchHostname` and `matchPathname` semantics, and anchor the full URL match before writing `images.remote_images`. In particular, `*.example.com` should require exactly one subdomain and should not match `example.com`, and `/ok/*` should match exactly one additional path segment and should not match `/ok/a/b`.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@astrojs/netlify"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "7.0.13"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/withastro/astro/security/advisories/GHSA-529g-xq4f-cw38"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/withastro/astro"
46+
}
47+
],
48+
"database_specific": {
49+
"cwe_ids": [
50+
"CWE-918"
51+
],
52+
"severity": "MODERATE",
53+
"github_reviewed": true,
54+
"github_reviewed_at": "2026-06-16T14:37:33Z",
55+
"nvd_published_at": null
56+
}
57+
}

0 commit comments

Comments
 (0)