Executive Summary

The CVE-2026-54300 vulnerability affects the @astrojs/netlify package versions 7.0.10 and below. It occurs because the package converts Astro's image.remotePatterns into Netlify Image CDN regex patterns with broader semantics than intended.

Specifically, wildcard hostnames like *.example.com are converted to regex patterns that also allow the apex host (example.com) to match, and wildcard pathnames like /ok/* are converted without end anchoring, permitting deeper paths to match by prefix.

This mismatch means that the Netlify Image CDN may accept URLs that Astro's own matcher would reject, potentially exposing unintended image resources.

For example, a request to /ok/a/b.svg would be allowed by Netlify's CDN even though Astro's helper would reject it.

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) because the CDN may fetch URLs from unintended sources.

This issue is fixed in @astrojs/netlify version 7.0.13 and later.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing the Netlify Image CDN to accept and fetch image URLs that were not intended to be accessible according to Astro's original matching rules.

As a result, unauthorized access to restricted or sensitive image resources may occur, potentially leading to confidentiality breaches.

The CVSS score of 5.3 indicates a moderate severity primarily due to this potential confidentiality impact.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in @astrojs/netlify allows broader matching of image URLs than intended, potentially exposing restricted image resources to unauthorized access. This could lead to confidentiality breaches of sensitive data.

Such unauthorized exposure of confidential information may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the @astrojs/netlify package versions 7.0.10 and below converting Astro's image.remotePatterns into broader regex patterns that allow unintended URL matches. Detection involves identifying if your system uses a vulnerable version of @astrojs/netlify and checking if the Netlify Image CDN is accepting image URLs that should be rejected by Astro's canonical matcher.

You can detect the vulnerability by verifying the installed package version with a command like:

• npm list @astrojs/netlify

To check if the Netlify Image CDN is accepting unintended URLs, you can attempt to request image URLs that exploit the broader regex matching, such as accessing deeper paths beyond the intended pattern (e.g., /ok/a/b.svg) and observe if they are served.

Network monitoring tools or logs can be inspected for requests to image URLs that should be rejected by Astro's matcher but are accepted by the CDN.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the @astrojs/netlify package to version 7.0.13 or later, where the vulnerability is fixed by aligning the regex generation with Astro's canonical matching semantics.

Until the update is applied, review and restrict image.remotePatterns configurations to avoid broad wildcard patterns that could be exploited.

Monitor your Netlify Image CDN logs for unexpected image requests that might indicate exploitation attempts.

Useful 0 Not Useful 0