Netlify is committed to the safety and security of our customers’ data and the [transparent, responsible disclosure of vulnerabilities](https://www.netlify.com/blog/our-commitment-to-security-transparency/). In this post we discuss [a vulnerability](https://github.com/netlify/netlify-ipx/security/advisories/GHSA-9jjv-524m-jm98) in the Netlify IPX package that was discovered by [Sam Curry](https://samcurry.net/universal-xss-on-netlifys-next-js-library/), one of our security researchers. Netlify has remediated the issue. Netlify worked with the upstream community to fix the vulnerability and there is no action needed from users. ## Netlify IPX Vulnerability Summary IPX is an image optimization server library that allows sites to serve images that are resized and reformatted on the fly. Although it was created by the Nuxt team, it can be used on any site that needs to serve optimized images. Netlify maintains a fork of the IPX Netlify plugin which is available by default for users of frameworks including Gatsby and Next.js. In this case a researcher discovered a vulnerability in the original IPX Netlify plugin, which is also present in the Netlify fork. The attacker could manipulate the `X-Forwarded-Proto` header as it is sent to the image handler to bypass the source image allowlist, returning arbitrary images. By default the images were not served with a Content Security Policy header, meaning that a malicious SVG could be returned with an embedded script which would be served from the site domain. This payload is cached on the server side creating a poisoned cache allowing a malicious attacker the ability to execute a stored cross-site scripting and full response server-side request forgery on any website running the Netlify IPX image handler. You can [reference this GitHub issue](https://github.com/netlify/netlify-ipx/security/advisories/GHSA-9jjv-524m-jm98) for more information. ### Why did we fork the repo? In this case, we forked the repo because the original project was published as a standalone Netlify plugin and we didn’t want to use it in that way. We wanted to publish it as a library so that it could be used on any website without needing a plugin to be installed, or could be installed as a dependency of other plugins or runtimes. ## Netlify collaborates with bug bounty researchers We’re passionate about working with our bug bounty research partners to make the Netlify platform better for everyone. In this case our researcher [Sam Curry](https://samcurry.net/universal-xss-on-netlifys-next-js-library/) came to us with a vulnerability and as we continued their research we were able to extend what they had found escalating the overall severity of the finding. Bug bounty researchers are an important part of our team and since they gave us the impetus to look in a particular area we awarded them a bounty that not only covered what they found but what we were able to extend the finding to as well. If you’re an amazing bug bounty researcher, we want to work with you. Have a look at our [public bug bounty program](https://hackerone.com/netlify/) today. ## Steps we have taken to remedy this We have mitigated this for all users by sanitizing the affected headers in all requests. We have also released updates to the Netlify IPX library to sanitize the header on the server. While there was no vulnerability in the IPX server library itself, after Netlify reported the vulnerability upstream to the IPX project, the team has released an update to add a Content Security Policy header to all responses, which would mitigate similar issues with malicious SVGs in future. Finally, the original un-forked Netlify IPX plugin has been deprecated as it was not being maintained and has been superseded by the Netlify fork. ## What actions do you need to take? You don’t need to take any action at this time. Netlify has remediated the issue and no changes are required on your part to install a new IPX package. Should you have any questions, please [contact Netlify Support](https://www.netlify.com/support/). ## Responsible disclosure of findings to Netlify You can help us make the web not only a better place but a safer place as well by responsibly reporting your vulnerability findings through our [public bug bounty program](https://hackerone.com/netlify/). ### Share - [X (fka Twitter)](https://twitter.com/intent/tweet?text=Netlify IPX Vulnerability&url=https://www.netlify.com/blog/netlify-ipx-vulnerability/) - [LinkedIn](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.netlify.com%2Fblog%2Fnetlify-ipx-vulnerability%2F) - [Facebook](https://www.facebook.com/sharer.php?u=https://www.netlify.com/blog/netlify-ipx-vulnerability/) - [Bluesky](https://bsky.app/intent/compose?text=Netlify IPX Vulnerability+https://www.netlify.com/blog/netlify-ipx-vulnerability/) * * * ### Tags - [Security](/blog/tags/security/) ## Keep reading ![](/_astro/cfdc437592ee2bf75a62690af707d52533d08063-1600x900_2njoni.webp) Opinions & Insights May 14, 2026 [ ### How we built Netlify Database for AI-native development ](/blog/how-we-built-netlify-database-for-ai-native-development) - ![Profile picture of Eduardo Bouças](/_astro/52958f21e8450baf6d8e60302341a984e220c0cd-512x512_13VDlu.webp) Eduardo Bouças ![](/_astro/97a103abeebc73c01640f04a5c7555c1d10469aa-1200x675_Z8E0d4.webp) Opinions & Insights May 6, 2026 [ ### My experience building and deploying a project with Netlify Agent Runners ](/blog/my-experience-building-and-deploying-a-project-with-netlify-agent-runners) - ![Profile picture of Conor Martin ](/_astro/d1f759333090a4801940b47bf8701c441c6bd4a4-375x375_Bsg02.webp) Conor Martin ## Recent posts News & Announcements June 25, 2026 [ ### Netlify Functions, designed for Agent Experience ](/blog/netlify-functions-designed-for-agent-experience) - ![Profile picture of Eduardo Bouças](/_astro/52958f21e8450baf6d8e60302341a984e220c0cd-512x512_13VDlu.webp) Eduardo Bouças News & Announcements June 24, 2026 [ ### How we measure Netlify’s Agent Experience ](/blog/how-we-measure-netlify-agent-experience) - ![Profile picture of Sean Roberts](/_astro/bbf2243f8171dbddd80ab2103622106cef84d125-512x512_Z1d2LKE.webp) Sean Roberts Guides & Tutorials May 15, 2026 [ ### How to build a real-time AI chatbot in minutes with Netlify Agent Runners (no backend) ](/blog/how-to-build-a-real-time-ai-chatbot-in-minutes-with-netlify-agent-runners-no-backend) - ![Profile picture of Nahrin Jalal](/_astro/f0e7c8f227a03fe58340c99ef5439d5a896c0733-272x272_Z23kDpD.webp) Nahrin Jalal ![](/_astro/3f255b372fa958df35802666ee33b4609b2d71bd-1200x1586_1VtE2D.webp) ### How do the best dev and marketing teams work together? [Access the report](https://www.netlify.com/reports/2024-leadership-trend-report/access/)