Issue has since been fixed
A vulnerability in Netlify could allow an attacker to achieve either persistent cross-site scripting (XSS) or full-response server-side request forgery on any supported website.
Netlify is a web development platform that also offers hosting and serverless backend services for websites.
Researchers found that Netlify was open to XSS attacks due to a cache poisoning vulnerability.
The security flaw, tracked as CVE-2022-39239, allowed an attacker to bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images.
Because the response is cached globally, the image would then be served to visitors without requiring those headers to be set.
Therefore, an attacker could achieve XSS by requesting a malicious SVG file with embedded scripts, which would then be served from the site domain.
The GitHub advisory explains: “Note that this does not apply to images loaded in <img> tags, as scripts do not execute in this context.
It adds: “The image URL can be set in the header independently of the request URL, meaning any site images that have not previously been cached can have their cache poisoned.”
URL parsing peril
A blog post by Sam Curry, one of the researchers involved in the discovery, explained that the bug affected multiple websites including Gemini, PancakeSwap, Docusign, Moonpay, and Celo.
Curry wrote: “It is possible to achieve cross-site scripting and server-side request forgery on any website running the “@netlify/ipx” library if the developers have added a whitelisted host to the configuration file due to improper URL parsing in the “unjs/ufo” library.
“This could be abused on a large number of websites as the “/_ipx/” route is installed [by default] on many Netlify installations.”
The issue was reported on August 24, 2022, and patched two days later in version 1.2.3.
“The problem is no longer exploitable on Netlify as the CDN [content delivery network] now sanitizes the relevant header. Cached content can be cleared by re-deploying the site,” the advisory reads.
More technical detail can be found in Curry’s write up.
The Daily Swig has reached out to Curry for further comment and will update this article accordingly.