Metadata Is Not Stripped From Images in publify/publify


Reported on

May 22nd 2022

  1. While uploading an image on as a low privileged user the meta data of the image like geolocation, device information, version, name etc is not getting stripped, as a result the attacker can collect all the meta data information of the image by using tools like exif tool, metadata checker etc which is publicly available.

Steps to reproduce:

  1. Login as demo user
  2. Go to
  3. Upload any images on the media library

  1. Copy the url by clicking on original size or open the image in new tab
  2. go to and check the image metadata by pasting the copied link, al the sensitive informations got disclosed publicly

Patch recommendation:

  1. Remove the meta data from uploaded images


  1. This vulnerability impacts all users on publify. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads the images
We are processing your report and will contact the publify team within 24 hours. 10 months ago
publify/publify maintainer has acknowledged this report 10 months ago
Akshay Ravi
10 months ago


hey @maintainer any update on this?

Akshay Ravi
9 months ago


hey @maintainer any update on this?

Matijs van Zuijlen validated this vulnerability 8 months ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the publify team. We will try again in 7 days. 7 months ago
We have sent a second fix follow up to the publify team. We will try again in 10 days. 7 months ago
We have sent a third and final fix follow up to the publify team. This report is now considered stale. 7 months ago
Akshay Ravi
6 months ago


@maintainer can you please make this report public, then only the CVE will be published, thanks

Akshay Ravi
4 months ago


@admin please make this report public.

4 months ago


Hey Akshay! We can only do that if you show us that this vulnerability has been fixed and published on GitHub otherwise we have to wait on the maintainer.... We can't violate responsible disclosure

3 months ago


Hey Akshay, sorry for not getting back on this sooner. For some reason I didn't get any notifications from the messages starting 3 months ago. I will be releasing a fix for this in the coming weeks.

Matijs van Zuijlen marked this as fixed in 9.2.10 with commit af6909 3 months ago
Matijs van Zuijlen has been awarded the fix bounty
This vulnerability has been assigned a CVE
Matijs van Zuijlen published this vulnerability 3 months ago
to join this conversation