github →

New request

#20477: Security Bug Report: EXIF Metadata Not Stripped from Uploaded Organization Logos

We'll provision a sandbox, run an agent against the issue, and open a draft PR. You can pull the branch and iterate from there.

Issue
prio: low

Introduction: I discovered that the Twenty CRM application does not remove EXIF metadata from uploaded JPG images. As a result, sensitive information such as GPS location data remains embedded and accessible after upload and download.

Steps to Reproduce:

  1. Navigate to https://app.twenty.com/welcome
  2. Register a new account with valid details.
  3. During setup, upload a JPG image containing GPS metadata (e.g., from https://github.com/ianare/exif-samples/tree/master/jpg/gps).
  4. Complete the setup process.
  5. Download the uploaded organization logo from the application.
  6. Open the image in any EXIF viewer (e.g., https://jimpl.com/).
  7. Observe that GPS location and other metadata are still present.

Impact:

  1. Exposure of sensitive location data embedded in images.
  2. Privacy risk for users uploading images taken on personal devices.
  3. Potential leakage of internal or organizational location information.

Video Proof Of Concept: https://drive.google.com/file/d/17-IuGkOMznai8LfRTOk83-8byzVzobaJ/view?usp=sharing

Reference: A similar issue has been reported on HackerOne (GitLab): https://hackerone.com/reports/446238

Assessmentadvisory
bug●● medium85% confidence

Uploaded organization logo images are persisted without stripping EXIF metadata, leaking sensitive location information.

Likely files
  • packages/twenty-server/src/engine/core-modules/file/services/file-upload.service.ts
  • packages/twenty-server/src/engine/core-modules/file/file.resolver.ts
  • packages/twenty-front/src/modules/settings/components/LogoUploader.tsx
Create the request

This opens a fresh agent run and a draft PR for issue #20477.

Cancel