Astro Remote Patterns Path Enforcement Bypass Vulnerability

A path traversal vulnerability has been identified in Astro, a web framework, affecting versions 2.10.10 prior to 5.18.1. The issue arises from improper enforcement of path restrictions in the 'remotePatterns' configuration, which is used to validate remote URLs for server-side fetch operations, such as image optimization. The vulnerability allows attackers to access paths outside the designated allowlist on a permitted host by exploiting the unanchored wildcard matching logic. This flaw has been patched in Astro version 5.18.1.

Impact

Exploitation of this vulnerability allows attackers to bypass path restrictions and fetch unintended remote resources from allowlisted hosts, potentially leading to unauthorized data exposure or server-side request forgery (SSRF) conditions.

Reproduction

To reproduce this vulnerability, configure an Astro project to use a 'remotePattern' that allows access to a specific path prefix, such as '/img/*'. Then, send a request to the image optimization endpoint with a URL that includes the allowed prefix embedded within a bypassing path. The response should confirm that the bypass was successful by returning the requested resource, demonstrating that the path restriction was not properly enforced.

Remediation

Users should update to Astro version 5.18.1 or later, where this vulnerability has been patched.