Any authenticated user may obtain private message details from other users on the same instance
Description
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports.
Creating a private message report by POSTing to /api/v3/private_message/report does not validate whether the reporter is the recipient of the message. lemmy-ui does not allow the sender to report the message; the API method should likely be restricted to accessible to recipients only. The API response when creating a report contains the private_message_report_view with all the details of the report, including the private message that has been reported:
Any authenticated user can obtain arbitrary (untargeted) private message contents. Privileges required depend on the instance configuration; when registrations are enabled without application system, the privileges required are practically none. When registration applications are required, privileges required could be considered low, but this assessment heavily varies by instance.
Version 0.19.1 contains a patch for this issue. A workaround is available. If an update to a fixed Lemmy version is not immediately possible, the API route can be blocked in the reverse proxy. This will prevent anyone from reporting private messages, but it will also prevent exploitation before the update has been applied.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lemmy_servercrates.io | >= 0.17.0, < 0.19.1 | 0.19.1 |
Affected products
1Patches
1bc32b408b523Fixing private message reports. (#4279)
4 files changed · +60 −1
api_tests/prepare-drone-federation-test.sh+1 −1 modified@@ -9,7 +9,7 @@ export RUST_LOG="warn,lemmy_server=debug,lemmy_federate=debug,lemmy_api=debug,le export LEMMY_TEST_FAST_FEDERATION=1 # by default, the persistent federation queue has delays in the scale of 30s-5min # pictrs setup -if ! [ -f "pict-rs" ]; then +if [ ! -f "pict-rs" ]; then curl "https://git.asonix.dog/asonix/pict-rs/releases/download/v0.5.0-beta.2/pict-rs-linux-amd64" -o api_tests/pict-rs chmod +x api_tests/pict-rs fi
api_tests/src/private_message.spec.ts+40 −0 modified@@ -10,6 +10,7 @@ import { deletePrivateMessage, unfollowRemotes, waitUntil, + reportPrivateMessage, } from "./shared"; let recipient_id: number; @@ -109,3 +110,42 @@ test("Delete a private message", async () => { betaPms1.private_messages.length, ); }); + +test("Create a private message report", async () => { + let pmRes = await createPrivateMessage(alpha, recipient_id); + let betaPms1 = await waitUntil( + () => listPrivateMessages(beta), + m => + !!m.private_messages.find( + e => + e.private_message.ap_id === + pmRes.private_message_view.private_message.ap_id, + ), + ); + let betaPm = betaPms1.private_messages[0]; + expect(betaPm).toBeDefined(); + + // Make sure that only the recipient can report it, so this should fail + await expect( + reportPrivateMessage( + alpha, + pmRes.private_message_view.private_message.id, + "a reason", + ), + ).rejects.toStrictEqual(Error("couldnt_create_report")); + + // This one should pass + let reason = "another reason"; + let report = await reportPrivateMessage( + beta, + betaPm.private_message.id, + reason, + ); + + expect(report.private_message_report_view.private_message.id).toBe( + betaPm.private_message.id, + ); + expect(report.private_message_report_view.private_message_report.reason).toBe( + reason, + ); +});
api_tests/src/shared.ts+14 −0 modified@@ -4,12 +4,14 @@ import { BlockInstance, BlockInstanceResponse, CommunityId, + CreatePrivateMessageReport, GetReplies, GetRepliesResponse, GetUnreadCountResponse, InstanceId, LemmyHttp, PostView, + PrivateMessageReportResponse, SuccessResponse, } from "lemmy-js-client"; import { CreatePost } from "lemmy-js-client/dist/types/CreatePost"; @@ -781,6 +783,18 @@ export async function reportComment( return api.createCommentReport(form); } +export async function reportPrivateMessage( + api: LemmyHttp, + private_message_id: number, + reason: string, +): Promise<PrivateMessageReportResponse> { + let form: CreatePrivateMessageReport = { + private_message_id, + reason, + }; + return api.createPrivateMessageReport(form); +} + export async function listCommentReports( api: LemmyHttp, ): Promise<ListCommentReportsResponse> {
crates/api/src/private_message_report/create.rs+5 −0 modified@@ -31,6 +31,11 @@ pub async fn create_pm_report( let private_message_id = data.private_message_id; let private_message = PrivateMessage::read(&mut context.pool(), private_message_id).await?; + // Make sure that only the recipient of the private message can create a report + if person_id != private_message.recipient_id { + Err(LemmyErrorType::CouldntCreateReport)? + } + let report_form = PrivateMessageReportForm { creator_id: person_id, private_message_id,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-r64r-5h43-26qvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23649ghsaADVISORY
- github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5ghsax_refsource_MISCWEB
- github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.