DELTA OBSCURA
We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.
Apache Answer - v1.4.1 - Externally referenced images can leak user privacy
| Type | software |
| Product Environment | web |
| Product Name | Apache Answer |
| Product Vendor | Apache Software Foundation |
| Product Version | 1.4.1 |
| Product Link | https://answer.apache.org/ |
| Vulnerability Name | Externally referenced images can leak user privacy |
| Severity | Medium |
|
CVSS String
|
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
| CVSS Score | 5.7 |
| CVE ID | CVE-2025-29868 |
| Vendor Acknowledgement | Yes |
|
Affected digital Assets
|
1 |
|
Affected Users
|
1000 |
| Date of Reporting | Feb 02, 2025 |
| PoC Exploit | - |
| Credit | 0xhamy,daeda1us |
Description
Apache Answer Q&A v1.4.1 is vulnerable to stored external resource loading via Markdown image embedding, enabling passive privacy data exfiltration from viewers’ browsers.
When a comment includes a Markdown image referencing an attacker-controlled URL, the browser (client) loads that external resource whenever the post or comment thread is viewed, disclosing the viewer’s IP address and User-Agent/OS to the attacker.
Severity / CVSS (our assessment): CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N → 5.7 (Medium)
Vendor-assigned: 6.5 (Medium)
Vulnerability Details
- The platform’s Markdown renderer permits
in comments and posts. - Fetching of the image is performed by the viewer’s browser, not the server. Each view issues an HTTP request to the attacker’s endpoint.
- Because the payload resides in a stored location (a comment), any user who loads the affected question or comment thread triggers the outbound request.
- The embedded image can be made effectively invisible (e.g., short
alttext, tiny/failed image rendering inside compact comment UI), ensuring stealthy tracking. - Practical impact includes:
- Logging viewer IP addresses and User-Agent strings (browser & OS fingerprinting).
- Per-view tracking (timestamps, referrers where applicable) allowing correlation of user activity.
Steps to Reproduce
-
Open a question where you can comment.
Navigate to:
/questions/10010000000000002 -
Post a comment with a Markdown image pointing to a controlled endpoint.
Example payload:
(You may also use a public collector such as https://webhook.site/<your-id>).
-
View the question (or expand the comments).
When any user loads the page, their browser performs a GET request to the specified URL. -
Observe captured viewer metadata.
On the attacker server, record incoming requests and inspect:
- IP address (source IP of the viewer)
- User-Agent (browser, OS)
- Timestamps and any additional headers
- Stealth variant.
Use an endpoint that returns a 1×1 transparent image or a 204/404 response; the image may appear as a broken or collapsed element inside the comment UI, keeping the tracking inconspicuous while still exfiltrating metadata.
Recommendation
- Gate external content: Add a server-side setting (default disabled) that blocks Markdown from fetching remote resources in untrusted contexts (comments, user posts).
- Content sanitization: Strip or rewrite Markdown image URLs in user-generated content to relative/whitelisted origins only.
- Proxy with strict policy: If remote images must be supported, proxy them through a server-side fetcher with:
- Domain allowlist/blocklist
- Header normalization (remove viewer-identifying headers)
- Caching to avoid repeated external contacts per view
- CSP hardening: Deploy a Content-Security-Policy that disallows
img-srcto arbitrary origins in UGC surfaces (e.g.,img-src 'self' data:) or isolates UGC in a sandboxed origin. - Granular trust tiers: Require elevated privileges (or moderation approval) for posts/comments containing external resources.
- UI signaling & opt-in: Clearly indicate when a thread would load third-party content and provide a click-to-load control to prevent automatic requests.