A serious security vulnerability existed in the Netlify cloud computing platform that allowed cross-site scripting attacks. Netlify has released a patch for the flaw with version 1.2.3. Users must ensure updating their systems with the latest release to receive the fix.
Netlify Cache Poisoning Vulnerability
Security researcher Sam Curry has elaborated on the severe Netlify vulnerability in a blog post.
As stated, the researcher discovered the vulnerability in the Next.js “netlify-ipx” repository. Exploiting the flaw could allow an adversary to perform cross-site scripting (XSS) and server-side request forgery (SSRF) attacks on the target website.
The vulnerability typically affected the websites using Next.js for the relevant Web3 functionality. Some popular platforms vulnerable to this issue include Celo, DocuSign, Moonpay, Gemini, and PancakeSwap.
In brief, the researchers found numerous security issues when scanning the platform for security. The first of these includes an open redirect on the “_next/image” handler, exploiting which could let an attacker redirect HTTP response to arbitrary websites. On OAuth whitelisted sites, exploiting the flaw could even allow the adversary to take over target accounts.
Next, the researchers found XSS and SSRF vulnerabilities on websites with whitelisted host in the configuration file and running the “@netlify/ipx” library. An attacker could exploit the flaw via maliciously crafted SVG files to execute arbitrary JavaScript codes and write arbitrary HTML.
In addition, the researchers noticed a full XSS and SSRF in the “netlify-ipx” library due to improper “x-forwarded-proto” header handling. An attacker could exploit the flaw to create stored XSS endpoint that may execute arbitrary codes upon loading.
Curry has shared the details about the vulnerability, CVE-2022-39239, in his post.
Netlify Deployed A Patch
Upon finding the bugs, the researcher reached out to Netlify developers, informing them of the flaw. In response, the vendor released a detailed advisory on GitHub, acknowledging the vulnerability. Alongside describing the issue, the vendors confirmed fixing the flaw with the release of Netlify version 1.2.3.
Besides, stating the workarounds, the advisory reads,
The problem is no longer exploitable on Netlify as the CDN now sanitizes the relevant header. Cached content can be cleared by re-deploying the site.
Let us know your thoughts in the comments.