Summary
The local_image table associates uploaded media with the uploader.
It is possible for any local user to delete entries from this table, which prevents admins from attributing uploads to individual users and prevents the original uploader from deleting their media.
Details
Lemmy before 1.0 requires a deletion token for deleting media through its API.
The deletion endpoint does not verify that the upload belongs to the user, as only the uploader and admins can access delete tokens.
While the deletion method first calls to pict-rs to perform the deletion, including the token used for deletion, Lemmy does not currently validate the response returned by pict-rs, while still deleting the associated local_image row in any case.
As a result, a user can provide an incorrect delete token, which will be rejected by pict-rs, but Lemmy still deletes the associated local_user row, making it impossible for admins or uploaders to delete the upload through regular Lemmy APIs, if they haven't previously stored this token elsewhere.
Impact
Instances with open/semi-open registrations
Most multi-user Lemmy instances have mechanisms allowing users to sign up by themselves.
This includes instances with fully open registration, as well as instances using the application system.
Even for application-based instances, most of them are still pretty much open to new users due to automatic approvals or approvals after answering a CAPTCHA-like question.
Any instance allowing untrusted users is affected by this, as the only requirement is a local user account.
Instances with closed registration, only trusted users
As this vulnerability does not include any form of authentication bypass and isn't exploitable through federation the impact for these instances is more limited due to the barrier of having to obtain valid user credentials first.
For these instances the CVSS v4 score is 5.3 at CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.
Nothing4You Reporter
Summary
The local_image table associates uploaded media with the uploader.
It is possible for any local user to delete entries from this table, which prevents admins from attributing uploads to individual users and prevents the original uploader from deleting their media.
Details
Lemmy before 1.0 requires a deletion token for deleting media through its API.
The deletion endpoint does not verify that the upload belongs to the user, as only the uploader and admins can access delete tokens.
While the deletion method first calls to pict-rs to perform the deletion, including the token used for deletion, Lemmy does not currently validate the response returned by pict-rs, while still deleting the associated
local_imagerow in any case.As a result, a user can provide an incorrect delete token, which will be rejected by pict-rs, but Lemmy still deletes the associated
local_userrow, making it impossible for admins or uploaders to delete the upload through regular Lemmy APIs, if they haven't previously stored this token elsewhere.Impact
Instances with open/semi-open registrations
Most multi-user Lemmy instances have mechanisms allowing users to sign up by themselves.
This includes instances with fully open registration, as well as instances using the application system.
Even for application-based instances, most of them are still pretty much open to new users due to automatic approvals or approvals after answering a CAPTCHA-like question.
Any instance allowing untrusted users is affected by this, as the only requirement is a local user account.
Instances with closed registration, only trusted users
As this vulnerability does not include any form of authentication bypass and isn't exploitable through federation the impact for these instances is more limited due to the barrier of having to obtain valid user credentials first.
For these instances the CVSS v4 score is 5.3 at
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.