CVE-2022-39239 in netlify-ipx
Summary
by MITRE • 09/23/2022
netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this image will then be served to visitors without requiring those headers to be set. XSS can be achieved by requesting a malicious SVG with embedded scripts, which would then be served from the site domain. Note that this does not apply to images loaded in `<img>` tags, as scripts do not execute in this context. The image URL can be set in the header independently of the request URL, meaning any site images that have not previously been cached can have their cache poisoned. This problem has been fixed in version 1.2.3. As a workaround, cached content can be cleared by re-deploying the site.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/23/2022
The vulnerability described in CVE-2022-39239 affects the netlify-ipx package, which provides on-demand image optimization for Netlify websites. This package serves as a middleware component that processes image requests and caches optimized versions for improved performance. The flaw exists in versions prior to 1.2.3 where the domain allowlist validation mechanism can be bypassed through crafted HTTP headers. This represents a critical security weakness that allows unauthorized access to arbitrary image resources beyond the configured domain restrictions, fundamentally undermining the intended security boundaries of the image optimization service.
The technical implementation flaw stems from improper validation of incoming HTTP headers that contain source image URLs. Attackers can manipulate these headers to specify domains outside the allowed list, enabling the system to fetch and cache images from unauthorized sources. The vulnerability operates at the request processing level where header values are not properly sanitized or validated against the configured domain allowlist before being used to determine source images. This type of vulnerability maps to CWE-20: Improper Input Validation, specifically concerning header manipulation and access control bypass. The flaw allows for cache poisoning attacks where malicious content becomes permanently cached and served to all subsequent visitors without requiring additional malicious headers.
The operational impact of this vulnerability extends beyond simple unauthorized image access to include potential cross-site scripting execution. When attackers can poison the cache with malicious SVG images containing embedded scripts, they can execute code in the context of the victim's browser when legitimate users access the cached content. The vulnerability specifically targets SVG files because these image formats support embedded scripting capabilities that can execute when rendered by browsers. However, the XSS execution is limited to contexts where the malicious SVG content is directly rendered rather than loaded within `<img>` tags, which would prevent script execution. This cache poisoning capability creates a persistent threat where attackers can serve malicious content to all visitors without requiring ongoing header manipulation, making the attack particularly dangerous and long-lasting.
The security implications of this vulnerability align with ATT&CK technique T1588.002: "Phishing with Spoofed Content" and T1190: "Exploit Public-Facing Application" as it allows attackers to compromise the image optimization service and serve malicious content from the legitimate site's domain. The global caching mechanism exacerbates the threat by ensuring that once poisoned, the malicious content becomes permanently accessible to all users without requiring additional malicious requests. The fix implemented in version 1.2.3 addresses the core validation issue by properly enforcing domain allowlist restrictions regardless of header values. Organizations should implement immediate mitigation strategies including redeploying their sites to clear existing cached content, updating to version 1.2.3 or later, and implementing additional monitoring for unusual image access patterns. The vulnerability demonstrates the importance of proper input validation and the potential for cache poisoning attacks to create persistent security threats in web applications.