Hasty Briefsbeta

Roundcube Webmail: SVG feImage bypasses image blocking to track email opens

4 hours ago
https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/
Copy Link
  • #Roundcube
  • #Security Vulnerability
  • #Email Tracking
  • Roundcube's rcube_washtml sanitizer failed to block external resources on <feImage> due to incorrect code path.
  • Attackers could track email opens even with 'Block remote images' enabled by exploiting this vulnerability.
  • Fixed in versions 1.5.13 and 1.6.13 by updating the is_image_attribute function to include <feImage>.
  • The vulnerability allowed HTTP/HTTPS URLs to bypass intended restrictions via the wash_link function.
  • Proof of concept involved an invisible SVG that triggered a GET request to an attacker's URL.
  • Impact included potential IP logging and browser fingerprinting despite remote image blocking.
  • Remediation involved collapsing checks into a single regex to properly handle SVG elements.
  • Timeline shows the vulnerability was reported on 2026-01-04 and fixed by 2026-02-08.
AboutLogin