CVE-2022-36048: 
NixOS vulnerability analysis and mitigation

A vulnerability in Zulip Server versions prior to 5.6 allows attackers to bypass the image proxy mechanism, potentially leading to IP address leaks. The vulnerability, identified as CVE-2022-36048, was discovered and disclosed in August 2022. When displaying messages with embedded remote images, Zulip normally loads image previews via a go-camo proxy server, but this vulnerability allows attackers to craft URLs that bypass this protection (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Moderate), with the following characteristics: Network attack vector, Low attack complexity, Low privileges required, No user interaction needed, Unchanged scope, Low confidentiality impact, and No impact on integrity or availability. The technical vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The vulnerability allows attackers who can send messages to include crafted URLs that bypass the image proxy protection. This bypass enables attackers to potentially infer the viewer's IP address and collect browser fingerprinting information, compromising user privacy (GitHub Advisory).

The vulnerability has been fixed in Zulip Server version 5.6. Organizations using affected versions should upgrade to this patched version. As a workaround, organizations can disable image and link previews to prevent exploitation (GitHub Advisory).