CVE-2024-23649: Any authenticated user may obtain private message details from other users on the same instance
Description
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports.
Creating a private message report by POSTing to `/api/v3/private_message/report` does not validate whether the reporter is the recipient of the message. lemmy-ui does not allow the sender to report the message; the API method should likely be restricted to accessible to recipients only. The API response when creating a report contains the `private_message_report_view` with all the details of the report, including the private message that has been reported:
Any authenticated user can obtain arbitrary (untargeted) private message contents. Privileges required depend on the instance configuration; when registrations are enabled without application system, the privileges required are practically none. When registration applications are required, privileges required could be considered low, but this assessment heavily varies by instance.
Version 0.19.1 contains a patch for this issue. A workaround is available. If an...
Classification
CVE ID: CVE-2024-23649
CVSS Base Severity: HIGH
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Problem Types
CWE-285: Improper Authorization CWE-200: Exposure of Sensitive Information to an Unauthorized ActorAffected Products
Vendor: LemmyNet
Product: lemmy
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.21% (probability of being exploited)
EPSS Percentile: 43.58% (scored less or equal to compared to others)
EPSS Date: 2025-06-07 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: true
References
https://nvd.nist.gov/vuln/detail/CVE-2024-23649https://github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv
https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5