Summary
@astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remote_images regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as *.example.com is converted to an optional subdomain regex, so the apex host matches. A single wildcard pathname such as /ok/* is converted without end anchoring, so deeper paths match by prefix.
Technical details
The Netlify adapter generates regex strings for Netlify Image CDN from image.remotePatterns. For *.example.com, it emits ([a-z0-9-]+\\.)?example\\.com, which makes the subdomain optional. Astro's canonical helper requires exactly one subdomain and rejects the apex host.
For /ok/*, the adapter emits a segment regex but does not anchor the end of the URL. Netlify's Image CDN implementation treats images.remote_images entries as JavaScript regular expressions and calls .test(sourceImageUrl.href), so a URL such as /ok/a/b.svg matches the /ok/a prefix even though Astro's helper rejects it.
The latest npm package @astrojs/[email protected] contains this conversion logic, and a minimal Astro build writes the broadened patterns into .netlify/v1/config.json.
Reproduction
- Create an Astro app using
[email protected]and@astrojs/[email protected]. - Configure Netlify output and a restrictive image pattern, for example
remotePatterns: [{ protocol: 'http', hostname: '*.localhost', pathname: '/ok/*' }]. - Build the app and observe that
.netlify/v1/config.jsoncontainshttp://([a-z0-9-]+\\.)?localhost(:[0-9]+)?(\\/ok/[^/?#]+)/?([?][^#]*)?. - Serve a canary SVG on
127.0.0.1:9001. - Request
/.netlify/images?url=http%3A%2F%2Flocalhost%3A9001%2Fok%2Fa.svg&w=100. Astro's helper rejects the apexlocalhostfor*.localhost, but Netlify Image CDN accepts it and fetches the canary. - As a negative control, request
/.netlify/images?url=http%3A%2F%2Flocalhost%3A9001%2Fnope%2Fa.svg&w=100. This returns403 Forbidden: Remote image URL not allowedand does not hit the canary. - Request
/.netlify/images?url=http%3A%2F%2Flocalhost%3A9001%2Fok%2Fa%2Fb.svg&w=100. Astro's/ok/*helper rejects this deeper path, but Netlify Image CDN accepts it and fetches the canary.
Impact
Any Astro app deployed with @astrojs/netlify and a restrictive image.remotePatterns config can expose a wider image-fetch boundary than intended. Public requests to the Netlify Image CDN endpoint can fetch URLs that Astro's own matcher would reject, including apex hosts for *.host patterns and deeper paths for /path/* patterns. The practical impact depends on what the application intended to isolate behind the remote image allowlist, but it can disclose image-like resources from unintended hosts or paths behind the same configured remote origin family.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2026-54300 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (7.0.13); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Generate regexes that exactly match Astro's canonical matchHostname and matchPathname semantics, and anchor the full URL match before writing images.remote_images. In particular, *.example.com should require exactly one subdomain and should not match example.com, and /ok/* should match exactly one additional path segment and should not match /ok/a/b.
Frequently Asked Questions
- What is CVE-2026-54300? CVE-2026-54300 is a medium-severity server-side request forgery (SSRF) vulnerability in @astrojs/netlify (npm), affecting versions < 7.0.13. It is fixed in 7.0.13. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
- How severe is CVE-2026-54300? CVE-2026-54300 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @astrojs/netlify are affected by CVE-2026-54300? @astrojs/netlify (npm) versions < 7.0.13 is affected.
- Is there a fix for CVE-2026-54300? Yes. CVE-2026-54300 is fixed in 7.0.13. Upgrade to this version or later.
- Is CVE-2026-54300 exploitable, and should I be worried? Whether CVE-2026-54300 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-54300 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-54300? Upgrade
@astrojs/netlifyto 7.0.13 or later.