CVE-2024-23649

Name of the Vulnerable Software and Affected Versions Lemmy versions 0.17.0 through 0.19.0

Description The issue allows any authenticated user to obtain arbitrary private message contents by creating a private message report. This is possible because the API response to creating a private message report contains the private message itself, and the reporter's validation is not properly checked. The API endpoint /api/v3/private message/report does not validate whether the reporter is the recipient of the message, allowing any user to report private messages and obtain their contents. This can be exploited by iterating over message IDs to obtain all private messages of an instance. The privileges required to exploit this issue depend on the instance configuration, with practically no privileges required when registrations are enabled without an application system.

Recommendations For Lemmy versions 0.17.0 through 0.19.0, update to version 0.19.1 or later to fix the issue. As a temporary workaround, consider blocking the API route /api/v3/private message/report in the reverse proxy to prevent exploitation before the update has been applied. This can be done by configuring the reverse proxy to return a 403 error for requests to this endpoint, as shown in the example nginx configuration:

location = /api/v3/private message/report {
 default type application/json;
 return 403 '{"error":"couldnt create report"}';
}