Security advisory: EZSA-2020-002

Unauthorised cache purge with misconfigured Fastly
Publication date:
11/03/2020, 16:12


Affected versions: eZ Platform with eZ Cloud ( and Fastly
Resolving versions: N/A (follow documented recommendation)

This Security Advisory is about a potential vulnerability in how cache is purged when using eZ Platform with eZ Cloud ( and Fastly. We say "potential vulnerability", because when eZ Platform is correctly configured for this setup, it's not vulnerable. But if the configuration is not correct, there's a vulnerability that could be abused by an attacker to purge all caches on a target site repeatedly, leading to very poor performance and potential Denial-of-Service (DoS).

The configuration in question:

Varnish is enabled by default when deploying on In order to use Fastly with eZ Platform, Varnish must be disabled, as is documented here:

This includes, among other things, removing this environment variable:


All these conditions must be met to be vulnerable:

- Use eZ Platform on eZ Cloud (

- Use Fastly

- Have not disabled Varnish

If you are vulnerable, please disable Varnish as documented and redeploy, as soon as possible.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories