GHSA-5q8v-j673-m5v4
Firefly III user API endpoints expose all users' information to any authenticated user (IDOR)
Blast Radius
grumpydictator/firefly-iiiReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The User management API endpoints (GET /api/v1/users and GET /api/v1/users/{id}) are accessible to any authenticated user without admin/owner role verification, exposing all users' email addresses, roles, and account status.
Affected Endpoints
- GET /api/v1/users (UserController::index, line 94) — Lists ALL users with full details. No role check.
- GET /api/v1/users/{id} (UserController::show, line 126) — Shows any user's details by ID. No role check.
Root Cause (1-of-N Inconsistency)
Other methods in the same controller properly check for the 'owner' role:
store()—UserStoreRequest::authorize()checksauth()->user()->hasRole('owner')✓destroy()— Explicitly checks$this->repository->hasRole($admin, 'owner')✓
But index() and show() have no role check at all. The route group at routes/api.php:734-747 has no admin middleware, only the global auth:api middleware.
Exposed Data
The UserTransformer (line 40-54) returns:
email— user's email addressrole— user's role (owner/demo)blocked— account blocked statusblocked_code— block reasoncreated_at/updated_at— timestamps
Impact
Any authenticated user can:
- Enumerate ALL user accounts in the instance
- Harvest email addresses for phishing/social engineering
- Identify admin/owner accounts by role
- Determine which accounts are blocked
Exploitation
# List all users
curl -H "Authorization: Bearer <any_user_token>" https://instance/api/v1/users
# View specific user details
curl -H "Authorization: Bearer <any_user_token>" https://instance/api/v1/users/1
Suggested Fix
Add owner role checks to index() and show(), or restrict the route group with admin middleware:
// Option 1: Add check in controller methods
public function show(User $user): JsonResponse
{
if (!$this->repository->hasRole(auth()->user(), 'owner') && auth()->user()->id !== $user->id) {
throw new FireflyException('200025: No access to function.');
}
// ...
}
// Option 2: Add middleware to route group
Route::group(['middleware' => ['admin'], ...], ...)
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | grumpydictator/firefly-iii | ≥ 6.4.23&&< 6.5.1 | 6.5.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for grumpydictator/firefly-iii. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update grumpydictator/firefly-iii to 6.5.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-5q8v-j673-m5v4 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-5q8v-j673-m5v4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-5q8v-j673-m5v4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-5q8v-j673-m5v4 in your dependencies?
O3 detects GHSA-5q8v-j673-m5v4 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.