Tandoor Recipes EXIF Metadata Leakage Vulnerability via WebP and GIF Image Uploads

A privacy vulnerability exists in Tandoor Recipes versions prior to 2.6.0, where the image processing pipeline fails to strip EXIF metadata, validate image sizes, and properly resize WebP and GIF images. This oversight allows sensitive EXIF data, including GPS coordinates, camera details, timestamps, and software information, to be stored and shared with users viewing the recipe. The issue arises because the application bypasses essential metadata checks for these image formats, leaving personal information exposed.

Impact

Uploading WebP or GIF images retains and exposes GPS data, camera information, timestamps, and software details, creating privacy risks such as location tracking and potential violations of privacy regulations like GDPR and CCPA.

Reproduction

To reproduce this vulnerability, upload a WebP image containing EXIF metadata, including GPS coordinates, to a recipe. After uploading, the image can be downloaded, and the EXIF data can be extracted to verify that the GPS information and other metadata have been preserved, indicating the vulnerability has been successfully exploited.

Remediation

Users can update to Tandoor Recipes version 2.6.0 or later, where this vulnerability has been fixed.