CVE-2024-31993

Name of the Vulnerable Software and Affected Versions Mealie versions prior to 1.4.0

Description The issue concerns the scrape image function, which retrieves an image based on a user-provided URL without validating if the URL points to an external location and lacks enforced rate limiting. The response from the server varies depending on whether the target file is an image, not an image, or does not exist. Retrieved files may remain stored on the server's file system as original.jpg under the recipe's UUID. An attacker with admin access can retrieve these files. In development settings, this could be exploited to retrieve any downloaded file without needing administrator access.

Recommendations For versions prior to 1.4.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, consider disabling the scrape image function until the update is applied. Restrict access to the original.jpg files stored under recipe UUIDs to minimize the risk of exploitation. Avoid using the scrape image function with untrusted URLs until the issue is resolved.