CVE-2022-39239: 
JavaScript vulnerability analysis and mitigation

netlify-ipx, an on-Demand image optimization tool for Netlify using ipx, was found to contain a security vulnerability in versions prior to 1.2.3. The vulnerability was discovered and disclosed on September 21, 2022, and was assigned CVE-2022-39239. The issue affects the source image domain validation functionality of the application (GitHub Advisory).

The vulnerability stems from insufficient validation of source image domains. An attacker can bypass the source image domain allowlist by sending specially crafted headers, which causes the handler to load and return arbitrary images. The vulnerability is particularly concerning because the response is cached globally, meaning the compromised content will be served to visitors without requiring the malicious headers to be set again. The vulnerability has been assigned a CVSS score of 5.4 (CISA).

The vulnerability can lead to multiple security issues: Server-Side Request Forgery (SSRF) allowing loading of arbitrary images, cache poisoning of any site images that haven't been previously cached, and potential Cross-Site Scripting (XSS) through malicious SVG files with embedded scripts served from the site domain. However, the XSS impact is limited as scripts do not execute in the context of image tags (GitHub Advisory).

The vulnerability has been patched in version 1.2.3 of netlify-ipx. Additionally, the issue is no longer exploitable on Netlify as the CDN now sanitizes the relevant header. As a temporary workaround, cached content can be cleared by re-deploying the site (GitHub Advisory).