Attack Chain

1. An attacker identifies an AFFiNE instance.
2. The attacker crafts a malicious URL targeting the /image-proxy endpoint with a payload designed to reflect arbitrary headers, possibly revealing internal network information.
3. The attacker sends the crafted URL to a victim, or the attacker directly accesses the vulnerable endpoint if internal IP leakage is the goal.
4. The AFFiNE server fetches the URL and reflects the attacker-controlled headers in the response, leading to XSS execution in the victim’s browser.
5. Alternatively, the attacker crafts a bookmark card containing a “javascript:” link.
6. The attacker saves the malicious bookmark card within AFFiNE.
7. When a user clicks on the malicious bookmark card, the injected JavaScript code executes within their browser session, enabling further malicious actions.
8. The attacker can then steal cookies, redirect the user, or perform other actions within the context of the AFFiNE application.

Impact

Successful exploitation of the reflected XSS vulnerability can expose internal IP addresses of AFFiNE instances, potentially affecting all users of the self-hosted application. The stored XSS vulnerability can lead to account takeover, data theft, or further propagation of malicious content within the AFFiNE workspace. AFFiNE has 66k stars on GitHub, indicating a significant user base, making the impact potentially widespread. The affected sectors are broad, as AFFiNE is a general-purpose productivity tool.

Recommendation

• Block the /image-proxy endpoint at the network or proxy level as a temporary mitigation for the reflected XSS vulnerability, as suggested by the researcher.
• Educate users to avoid clicking on links starting with “javascript:” in bookmark cards to prevent exploitation of the stored XSS vulnerability.
• Deploy the Sigma rule to detect access to the vulnerable /image-proxy endpoint.
• Deploy the Sigma rule to detect bookmark cards with suspicious JavaScript links.