Astro Development Server Arbitrary Local File Read Vulnerability

A vulnerability in the Astro web framework's development server prior to version 5.14.3 allows remote attackers to read arbitrary image files from the host system. This issue arises through the image optimization endpoint, which lacks proper path validation in development mode, enabling access to any file readable by the Node.js process. The vulnerability has been patched in Astro version 5.14.3.

Impact

Exploitation of this vulnerability allows for unauthorized reading of image files from the local file system, specifically those accessible to the Node.js process.

Reproduction

To reproduce this vulnerability, start the Astro development server and send a GET request to the '/_image' endpoint with an 'href' parameter that includes an absolute path to a readable image file. The request will bypass security checks and return the image file in the response.

Remediation

Users can update to Astro version 5.14.3 or later to address this vulnerability.