EXIF Not Stripped
Images served without stripping EXIF metadata can leak GPS coordinates, device information, timestamps, and other sensitive data about the person who took the photo.
How It Works
Digital cameras and smartphones embed metadata (EXIF data) in every photo. This includes GPS coordinates, camera model, date and time, software version, and sometimes even the owner's name. When users upload photos to a web application and the server stores them without stripping this metadata, anyone who downloads the image can extract the embedded information. GPS coordinates can reveal a user's home address, workplace, or current location. Device information can be used for fingerprinting. While not directly exploitable for code execution, this is a significant privacy violation that can enable stalking, doxxing, or social engineering attacks.
const multer = require('multer');
const upload = multer({ dest: 'uploads/' });
app.post('/photos', upload.single('photo'), (req, res) => {
// Image saved with all EXIF metadata intact
res.json({ url: `/photos/${req.file.filename}` });
});const sharp = require('sharp');
app.post('/photos', upload.single('photo'), async (req, res) => {
const stripped = await sharp(req.file.path)
.rotate() // Auto-rotate based on EXIF, then strip
.withMetadata({ exif: undefined })
.toFile(`uploads/clean-${req.file.filename}`);
res.json({ url: `/photos/clean-${req.file.filename}` });
});Real-World Example
In 2012, antivirus pioneer John McAfee was located by authorities in Guatemala after a journalist published a photo of him. The EXIF GPS data in the photo revealed his exact location, leading to his arrest. Multiple social media platforms now strip EXIF data, but many web apps still do not.
How to Prevent It
- Use sharp or similar library to strip all EXIF metadata on upload
- Auto-rotate images based on EXIF orientation before stripping metadata
- Never serve original uploaded images directly — always process them first
- Implement a CDN or image processing pipeline that strips metadata by default
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Path Traversal
highFile paths constructed with unvalidated user input allow attackers to read or write arbitrary files on the server using ../ sequences.
File Upload No Validation
highAccepting file uploads without verifying type, size, or content allows attackers to upload malicious executables, web shells, or oversized files that crash the server.
SVG with JavaScript
mediumAccepting SVG uploads without sanitization allows attackers to embed JavaScript in SVG files, enabling XSS attacks when the SVG is rendered in a browser.
PDF Generation Injection
mediumInjecting HTML or JavaScript into PDF generation templates allows attackers to read server-side files, make internal network requests, or execute scripts in the PDF viewer.