Capgo - EXIF Metadata Exposure via Image Upload
Description
Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"EXIF metadata is not sanitized on the server side; uploaded images are stored and served as-is without stripping GPS geolocation data."
Attack vector
An attacker uploads an image containing EXIF GPS metadata (e.g., from a mobile device with location enabled) via the personal image upload feature. After the image is stored and served as-is, the attacker downloads or inspects the image URL and extracts precise latitude and longitude coordinates using tools like jimpl.com [ref_id=1]. No authentication is required beyond normal user access to the upload feature.
Affected code
The application's image upload feature (https://console.capgo.app/settings/account) stores and serves uploaded images without stripping EXIF metadata. No server-side image processing pipeline sanitizes the files before storage or delivery.
What the fix does
The advisory recommends stripping all EXIF metadata (especially GPSLatitude, GPSLongitude, device, and timestamp fields) on upload using server-side image processing libraries, and reprocessing existing uploaded images to remove sensitive metadata [ref_id=1]. No patch diff is provided in the bundle; the remediation guidance is the authoritative fix description.
Preconditions
- authAttacker must have access to the image upload feature (https://console.capgo.app/settings/account)
- inputUploaded image must contain EXIF GPS metadata (e.g., captured with location enabled on a mobile device)
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-c5w9-886p-9j2xmitrevendor-advisory
- www.vulncheck.com/advisories/capgo-exif-metadata-exposure-via-image-uploadmitrethird-party-advisory
News mentions
0No linked articles in our index yet.