CVE-2022-39239 is a vulnerability affecting netlify-ipx, a component used for on-demand image optimization in the Netlify platform. Versions prior to 1.2.3 of netlify-ipx contain a security flaw that allows an attacker to bypass the source image domain allowlist by sending specially crafted HTTP headers. This bypass causes the image handler to load and return arbitrary images from external sources. Because the response is cached globally by Netlify's CDN, the malicious image is then served to all visitors of the site without requiring the attacker to resend the crafted headers. This cache poisoning can be exploited by requesting a malicious SVG image containing embedded scripts. When served from the site domain, this SVG can execute cross-site scripting (XSS) attacks. However, it is important to note that this XSS vector does not apply to images loaded via the standard <img> HTML tag, as scripts embedded in SVGs do not execute in that context. The vulnerability also involves a server-side request forgery (SSRF) aspect, as the image URL can be set independently in the header, allowing the attacker to force the server to fetch arbitrary images. The vulnerability was fixed in version 1.2.3 of netlify-ipx. As a mitigation, clearing the CDN cache by redeploying the site can remove poisoned cached content. This vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., XSS) and CWE-918 (Server-Side Request Forgery). No known exploits in the wild have been reported to date. The flaw impacts the confidentiality and integrity of users interacting with affected sites by enabling script execution in the context of the trusted domain, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability requires no authentication but does require the attacker to send crafted headers and host a malicious SVG payload. The scope is limited to sites using vulnerable versions of netlify-ipx and serving images through this mechanism.

For European organizations using Netlify with netlify-ipx versions prior to 1.2.3, this vulnerability poses a risk of cross-site scripting attacks via poisoned image caches. The global CDN caching means that once an attacker poisons the cache, all visitors to the affected site can be served malicious SVG images capable of executing scripts in the site's domain context. This can lead to theft of user credentials, session tokens, or other sensitive information, undermining user trust and potentially violating data protection regulations such as GDPR. The SSRF component could also be leveraged to make unauthorized requests from the server, potentially exposing internal resources or enabling further attacks. Organizations in sectors with high web traffic or handling sensitive user data (e.g., e-commerce, finance, healthcare) are particularly at risk. The impact on availability is low, but the confidentiality and integrity risks are significant. Since the vulnerability does not require user interaction beyond visiting the site, the attack surface is broad. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially if attackers develop automated cache poisoning techniques. Failure to patch or mitigate could result in reputational damage and regulatory penalties for European organizations.

1. Upgrade netlify-ipx to version 1.2.3 or later immediately to apply the official fix. 2. Redeploy affected Netlify sites to clear the global CDN cache and remove any poisoned cached images. 3. Implement strict Content Security Policy (CSP) headers restricting script execution and limiting allowed image sources to trusted domains. 4. Monitor HTTP headers and image requests for unusual or unexpected patterns that could indicate attempts to exploit header-based cache poisoning. 5. Regularly audit third-party dependencies and their versions to ensure timely patching of known vulnerabilities. 6. For critical sites, consider disabling on-demand image optimization temporarily if upgrading is not immediately feasible, to reduce attack surface. 7. Educate development and DevOps teams about the risks of SSRF and XSS in image processing components and the importance of input validation and output encoding. 8. Use security scanners capable of detecting SSRF and XSS vulnerabilities in CI/CD pipelines to catch regressions or new issues early.