CVE-2026-29055
Tandoor Recipes: WebP and GIF Image Uploads Bypass EXIF/Metadata Stripping, Leaking GPS Coordinates and PII
In short
Tandoor Recipes fails to remove sensitive information (like GPS location and timestamps) from WebP and GIF photos that users upload. This means anyone viewing a recipe can see where the photo was taken and other private details embedded in the image.
Technical detail
The application explicitly bypasses EXIF metadata stripping for WebP and GIF formats during image upload processing, allowing sensitive metadata including GPS coordinates, camera model, and timestamps to be retained and exposed to all users with recipe view access. The vulnerability requires user interaction (image upload) but affects information disclosure with no authentication bypass.
Summary generated and translated by AI from the official description.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image formats. A developer TODO comment in the source code acknowledges this as a known issue. As a result, when users upload recipe photos in WebP format (the default format for modern smartphone cameras), their sensitive EXIF data — including GPS coordinates, camera model, timestamps, and software information — is stored and served to all users who can view the recipe. Version 2.6.0 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
TandoorRecipes · recipesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →