Opinions & Insights
Netlify IPX Vulnerability
Netlify is committed to the safety and security of our customers' data and the transparent, responsible disclosure of vulnerabilities. In this post we discuss a vulnerability in the Netlify IPX package that was discovered by Sam Curry, one of our security researchers.
Netlify has remediated the issue. Netlify worked with the upstream community to fix the vulnerability and there is no action needed from users.
Netlify IPX Vulnerability Summary
IPX is an image optimization server library that allows sites to serve images that are resized and reformatted on the fly. Although it was created by the Nuxt team, it can be used on any site that needs to serve optimized images. Netlify maintains a fork of the IPX Netlify plugin which is available by default for users of frameworks including Gatsby and Next.js.
In this case a researcher discovered a vulnerability in the original IPX Netlify plugin, which is also present in the Netlify fork. The attacker could manipulate the
X-Forwarded-Proto header as it is sent to the image handler to bypass the source image allowlist, returning arbitrary images. By default the images were not served with a Content Security Policy header, meaning that a malicious SVG could be returned with an embedded script which would be served from the site domain. This payload is cached on the server side creating a poisoned cache allowing a malicious attacker the ability to execute a stored cross-site scripting and full response server-side request forgery on any website running the Netlify IPX image handler. You can reference this GitHub issue for more information.
Why did we fork the repo?
In this case, we forked the repo because the original project was published as a standalone Netlify plugin and we didn’t want to use it in that way. We wanted to publish it as a library so that it could be used on any website without needing a plugin to be installed, or could be installed as a dependency of other plugins or runtimes.
Netlify collaborates with bug bounty researchers
We’re passionate about working with our bug bounty research partners to make the Netlify platform better for everyone. In this case our researcher Sam Curry came to us with a vulnerability and as we continued their research we were able to extend what they had found escalating the overall severity of the finding. Bug bounty researchers are an important part of our team and since they gave us the impetus to look in a particular area we awarded them a bounty that not only covered what they found but what we were able to extend the finding to as well. If you’re an amazing bug bounty researcher, we want to work with you. Have a look at our public bug bounty program today.
Steps we have taken to remedy this
We have mitigated this for all users by sanitizing the affected headers in all requests. We have also released updates to the Netlify IPX library to sanitize the header on the server. While there was no vulnerability in the IPX server library itself, after Netlify reported the vulnerability upstream to the IPX project, the team has released an update to add a Content Security Policy header to all responses, which would mitigate similar issues with malicious SVGs in future. Finally, the original un-forked Netlify IPX plugin has been deprecated as it was not being maintained and has been superseded by the Netlify fork.
What actions do you need to take?
You don’t need to take any action at this time. Netlify has remediated the issue and no changes are required on your part to install a new IPX package. Should you have any questions, please contact Netlify Support.
Responsible disclosure of findings to Netlify
You can help us make the web not only a better place but a safer place as well by responsibly reporting your vulnerability findings through our public bug bounty program.