Roundcube Webmail: SVG feImage Bypasses Image Blocking to Track Email Opens

Email providers rely on remote‑image blocking to prevent unsolicited tracking, yet modern HTML emails increasingly embed SVG elements that can fetch external resources. The <feImage> tag, originally designed for filter effects, loads an image via its href attribute, and because Roundcube’s sanitizer routed this through a generic link‑handler, the URL slipped past the image‑blocking logic. This subtle vector demonstrates how overlooked SVG primitives can resurrect old tracking techniques without raising user suspicion.

The root cause lay in Roundcube’s attribute classification: only <img>, <image>, and <use> were flagged as image sources, while <feImage> was mistakenly treated as a regular hyperlink. Consequently, the sanitization routine applied wash_link(), which permits HTTP/HTTPS URLs, instead of wash_uri() that enforces remote‑image restrictions. Similar gaps have appeared in other email clients and web applications that maintain hand‑crafted allowlists, underscoring the difficulty of fully covering the expansive SVG specification.

For businesses, the vulnerability translates to a breach of user privacy and potential compliance violations, especially under regulations that mandate explicit consent for tracking. Promptly updating to Roundcube 1.5.13 or 1.6.13 eliminates the immediate risk, but organizations should also adopt layered defenses: enforce strict content‑security policies, monitor outbound requests from email rendering engines, and regularly audit sanitization code against the evolving SVG standard. Investing in comprehensive testing of HTML sanitizers can prevent similar oversights from reaching production.