Email enumeration via Reset password page in bookwyrm-social/bookwyrm


Reported on

Jul 6th 2022


Through the Reset password page, an attacker can know that if an email exists or not; just by observing the notification in the response page. So, once the attacker knows that an email exists, he can launch a brute force attack against it.

If an email exists:

The notification will be A password reset link was sent to <email_address> with green color.

If an email does not exist:

The notification will be No user with that email address was found. with red color.

Proof of Concept

1.Go to the Reset password page (
2.Enter an existed email and click Submit.
3.Observe the success notification.
4.Enter a non-existed email (Ex: and click Submit.
3.Observe the error notification.


Account enumeration is a potential security risk whereby a web site gives out information about what accounts are already in the system. This may:
a) leave them susceptible to a brute-force attack
b) may violate their users privacy which may be very important for certain types of sites.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back a year ago
Mouse Reeve modified the Severity from Critical to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Mouse Reeve validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in v0.4.2 with commit 2d2d01 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE has been validated
Mouse Reeve gave praise a year ago
Thanks for flagging!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation