SSRF in Next.JS Image Optimizer (Netlify IPX)

We discussed this vulnerability during Episode 165 on 07 November 2022

A cool look at finding a vulnerability on a statically generated website, due to the presence of an image optimizer running as a serverless function. The Netlify IPX would normally validate image urls before fetching them to ensure the host is whitelisted (none by default), however this whitelist is skipped when it believe the URL is a local URL, meaning it does not start with http. The vulnerability is that the when fetching one of these local URLs the protocol would be prepended to the URL, and this protocol could be attacker controlled through the x-forwarded-proto header, and would be appended without any validation. Allowing a proto like to be used to get an SSRF.

As it is an image cache/optimizer, the filetype did need to be an image, but this could still be abused with an SVG which can contain JavaScript to run on any victim, as the x-forwarded-proto didn’t influence the cache key any following user requesting the same image would be served the cached one as long as the cache was active.

The post ends with a somewhat less interesting (in my opinion) issue in GatsbyJS where a full read SSRF could be obtained through a similar file (not only image) proxy mechanism, however this could only be accessed if the Gatsby server was actually running instead of building the site.