CVE-2022-39239

netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...

Cross-site Scripting (XSS)

@netlify/ipx is vulnerable to cross-site scripting.The vulnerability exists in createIPXHandler function in index.ts due to improper host validation, which allows an attacker to inject and execute malicious javascript via cache poisoning...

Design/Logic Flaw

netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...

CVE-2022-39239

Netlify-ipx is vulnerable in versions before 1.2.3 to a cache-poisoning fault that allows an attacker to bypass the source image allowlist by sending crafted headers. This can cause the handler to load and return arbitrary images, which are then cached globally and served to visitors without requ...

CVE-2022-39239 nefly-ipx subject to Server-Side Request Forgery and Stored Cross-Site Scripting via Cache Poisoning and Improper Host Validation

netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...

Netlify netlify-ipx 代码问题漏洞

Netlify netlify-ipx is a library from the American company Netlify. It is used for on-demand image optimization of Netlify. A code issue vulnerability exists in Netlify netlify-ipx versions prior to 1.2.3. An attacker exploiting this vulnerability could bypass the source image field allowlist by...

@netlify/plugin-nextjs (>=4.0.0 <=4.7.0), @netlify/plugin-nextjs-experimental (>=0.0.1 <=0.0.6-alpha-tracing.2) potentially affected by CVE-2022-39239 via @netlify/ipx (>=0.0.10 <=0.0.9)

@netlify/ipx NPM version =0.0.10, =4.0.0, =0.0.1, =0.0.6-alpha-tracing.2 Source cves: CVE-2022-39239 Source advisory: OSV:GHSA-9JJV-524M-JM98...

PT-2022-24833 · Netlify · Netlify-Ipx

Name of the Vulnerable Software and Affected Versions: netlify-ipx versions prior to 1.2.3 Description: The issue allows an attacker to bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is...