New request
#20477: Security Bug Report: EXIF Metadata Not Stripped from Uploaded Organization Logos
We'll provision a sandbox, run an agent against the issue, and open a draft PR. You can pull the branch and iterate from there.
Issue
prio: low
Introduction: I discovered that the Twenty CRM application does not remove EXIF metadata from uploaded JPG images. As a result, sensitive information such as GPS location data remains embedded and accessible after upload and download.
Steps to Reproduce:
- Navigate to https://app.twenty.com/welcome
- Register a new account with valid details.
- During setup, upload a JPG image containing GPS metadata (e.g., from https://github.com/ianare/exif-samples/tree/master/jpg/gps).
- Complete the setup process.
- Download the uploaded organization logo from the application.
- Open the image in any EXIF viewer (e.g., https://jimpl.com/).
- Observe that GPS location and other metadata are still present.
Impact:
- Exposure of sensitive location data embedded in images.
- Privacy risk for users uploading images taken on personal devices.
- Potential leakage of internal or organizational location information.
Video Proof Of Concept: https://drive.google.com/file/d/17-IuGkOMznai8LfRTOk83-8byzVzobaJ/view?usp=sharing
Reference: A similar issue has been reported on HackerOne (GitLab): https://hackerone.com/reports/446238
Assessmentadvisory
bug●● medium85% confidence
Uploaded organization logo images are persisted without stripping EXIF metadata, leaking sensitive location information.
Likely files
- packages/twenty-server/src/engine/core-modules/file/services/file-upload.service.ts
- packages/twenty-server/src/engine/core-modules/file/file.resolver.ts
- packages/twenty-front/src/modules/settings/components/LogoUploader.tsx
Create the request