Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Packet Storm EXIF Data Disclosure

🗓️ 13 Oct 2025 00:00:00Reported by Vaibhav JainType 
packetstorm
 packetstorm🔗 packetstorm.news👁 162 Views

Image uploads expose geolocation and device data due to unstripped image metadata on the Packet Storm site.

Code
Vulnerability Description :-
    
    When a user uploads an image in  https://packetstorm.news, the uploaded
    image’s EXIF Geolocation Data does not get stripped. As a result, anyone
    can get sensitive information from https://packetstorm.news users like
    their Geolocation, their Device information like Device Name, Version,
    Software & Software version used etc.
    
    Steps to Reproduce :-
    
    1. Navigate to this url :-  https://packetstorm.news/
    2. Login with Valid credentials
    4. Upload an image  [ you can download metadata contained image from here
     :- [ https://github.com/ianare/exif-samples/tree/master/jpg  ]
    5. After uploading , Right click on the image and open in a new tab
    6. Copy the url of that image or Download the image
    7. Navigate to this website :- https://exif.tools
    8. Paste that link or upload the downloaded image there and check EXIF
    Geolocation
    Data Not Stripped From Uploaded Image
    9. Please refer the proof of concept attached below for better understanding
    
    Reference :- https://hackerone.com/reports/446238
    
    
    Impact :-
    
    This vulnerability is CRITICAL and impacts all the  https://packetstorm.news
    customer base. This vulnerability violates the privacy of a User and shares
    sensitive information of the user who uploads an image on
    https://packetstorm.news .
    
    
    
    --- 
    Packet Storm note:
    
    2025/10/13: 
    
    A bad code push stripped a strip and exif data remained in some uploaded images. Our analysis shows only 0.004% of pics were affected and they have all been stripped to ensure no further exposure. This included pictures for 3 users (a packet storm admin one of them, the researcher the other, and a third pic that was not an accessible pic but rather a stored image on the backend that had been converted), along with an advertisement test image. We took the site offline during this process to mitigate further disclosure in case the issue was bigger. The primary vector of attack was addressed, tested, and pushed live. We would like to extend our thanks to Vaibhav Jain for reporting the issue.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Oct 2025 00:00Current
7.1High risk
Vulners AI Score7.1
Packet Stormimage metadatageolocation datadevice informationprivacy breachcritical vulnerabilitylogin requiredupload process
162