New Launch

Take a deep dive into the fastest Gatsby, yet: Gatsby 5!

ContactSign Up for Free

Vulnerability Patched in the Gatsby Cloud Image CDN

Mike Gualtieri
October 26th, 2022

We recently patched a high risk security vulnerability in our Gatsby Cloud Image CDN service.  Since all affected customers have been informed about the vulnerability, and have been given time to patch their sites, we are now communicating details of the vulnerability and our fix publicly.

Credit for finding this vulnerability goes to Shubham Shah of Assetnote and Sam Curry of Yuga Labs, who brought the issue to our attention.

Vulnerability Details

The Gatsby Cloud Image CDN implementation allowed for arbitrary URLs to be sent to the u= URL parameter, which was exposed as a query parameter on _gatsby/image and _gatsby/file/ routes.  Due to insufficient checking if the URL was valid for a build, the content of the arbitrary URL would be rendered by the website, presenting an opportunity to exploit the vulnerability via a Server Side Request Forgery (SSRF) and/or Cross Site Scripting (XSS) attack.

While the _gatsby/image route and the u= parameter is used by sites not using our Image CDN service, the vulnerability only affected sites that had enabled the Image CDN.

We have no information that would suggest that this vulnerability had been used to target our customers.

How we addressed this vulnerability

On September 21st we released an update to gatsby-plugin-utils@3.17.1, and on October 6th an update to the Gatsby Cloud, which together will fully mitigate the vulnerability.

Sites that are using our Image CDN service and running a non-vulnerable version of gatsby-plugin-utils will now have all CDN URLs encrypted as part of the build process, through the query parameter eu=.  The encryption mechanism ensures that only valid URLs that were included in a site build will be interpreted as a valid route.  An added benefit of this approach is that the source URL is no longer exposed client side, which builds a layer of privacy for our customers running a private headless CMS.

What you should do to keep your website(s) safe…

To remediate the vulnerability for your site(s), choose one of the following options:

  • Remediation Option 1: Upgrade to gatsby-plugin-utils@3.17.1 or higher by upgrading Gatsby to the latest version, and rebuild your site.  Once rebuilt and deployed your site will no longer be vulnerable to the flaw.To upgrade, we recommend taking the following steps:
    1. Bump all gatsby-* packages (and gatsby) to the latest versions and commit these to your site source repository. (As an example, run: npm i gatsby@latest gatsby-transformer-sharp@latest gatsby-source-contentful@latest.)
    2. Navigate to “Site Settings” > “Images”.  With Image CDN enabled, check the message that will indicate if your site is vulnerable or not vulnerable.  (If you don’t see this message, reload the page in your browser.)  The message will only be displayed when Image CDN is enabled.
    3. In the case that your site is still vulnerable, use yarn/npm resolutions to force the installed version of gatsby-plugin-utils to >=3.17.1.

Indication that your site is vulnerable.

Indication that your site is not vulnerable.
Please note that you may need to wait a second for the message to update as the vulnerability check is run.

  • Remediation Option 2:  Disable Image CDN for your site(s).  Since this vulnerability only affects websites that have Image CDN enabled, disabling the feature will eliminate vulnerability.  Please note that disabling Image CDN will trigger a full rebuild of your site.  Once rebuilt and deployed your site will no longer be vulnerable to the flaw.

 

If you have any additional questions please feel free to reach out to our Customer Success team at support@gatsbyjs.com or directly to our security team at security@gatsbyjs.com.

Share on TwitterShare on LinkedInShare on FacebookShare via Email

Hacker, security researcher, entrepreneur. Purple Team. Avid gardener and ham radio operator. Known to make and break software. Loves reverse shells and hiking in the woods with my wife and kids.

Follow Mike Gualtieri on Twitter

Tagged with cybersecurity, information security, securityView all Tags

Talk to our team of Gatsby Experts to supercharge your website performance.

Contact Gatsby Now
© 2022 Gatsby, Inc.