Email enumeration via reset password functionality in pixelfed/pixelfed


Reported on

Jan 18th 2023


User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the response body, response headers or sometimes, in the response delay.

Proof of Concept

  1. Go to /password/reset
  2. Enter the following two emails and check the difference of the responses:
  • Registered email:
<input id="email" type="email" class="form-control" name="email" placeholder="E-Mail Address" value="" required>
  • Not registered email:
<input id="email" type="email" class="form-control" name="email" placeholder="E-Mail Address" value="xxx@local" required>

Notice that not registered email is in the value attribute.


User and email enumeration allows an attacker to find valid usernames/emails on the victim application. It can use this information to do more advanced attacks like bruteforcing passwords or phishing attemps.

We are processing your report and will contact the pixelfed team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the pixelfed team and are waiting to hear back a year ago
pixelfed/pixelfed maintainer has acknowledged this report a year ago
pixelfed/pixelfed maintainer gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
pixelfed/pixelfed maintainer validated this vulnerability a year ago
bauh0lz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pixelfed/pixelfed maintainer marked this as fixed in 0.11.4 with commit 5b5f5b a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation