Netlify IPX Vulnerability Summary

This issue is fixed


A researcher discovered a vulnerability in the original IPX Netlify plugin, which is also present in the Netlify fork. The attacker could manipulate the X-Forwarded-Proto header as it is sent to the image handler to bypass the source image allowlist, returning arbitrary images. By default the images were not served with a Content Security Policy header, meaning that a malicious SVG could be returned with an embedded script which would be served from the site domain. This payload is cached on the server side creating a poisoned cache allowing a malicious attacker the ability to execute a stored cross-site scripting and full response server-side request forgery on any website running the Netlify IPX image handler.

For more information…

If you have an questions, please respond directly to this thread