Vulnerability DatabaseGHSA-wr2m-38xh-rpc9

GHSA-wr2m-38xh-rpc9:
Rust vulnerability analysis and mitigation

Overview

An improper uploaded media ownership check vulnerability was discovered in Lemmy server versions >=0.17.0 and <0.19.11, identified as GHSA-wr2m-38xh-rpc9. The vulnerability could result in inadvertent deletion of media when a user is banned with content removal or purged, potentially leading to deletion of media not uploaded by the banned/purged user. This issue also affects purged communities, where all media posted in that community could be deleted without proper ownership verification (GitHub Advisory).

Technical details

The vulnerability stems from Lemmy's lack of user-media upload association prior to version 0.19.0. The media storage backend, pict-rs, implements two types of deletion: regular deletion which removes only referenced aliases, and purge which deletes all aliases and the backing file. The vulnerability arose from the logic implemented in 0.17.0 that iterates over media URLs related to users and communities during purging operations, resulting in full deletion of backing media even if the same URL was uploaded by different users or the same media was uploaded with different aliases. The issue is limited to media with an image/* content-type returned by pict-rs (GitHub Advisory).

Impact

The impact varies based on instance configuration. For instances with open federation (the majority), the vulnerability can be exploited remotely without authentication. For instances with limited or no federation, exploitation requires user interaction by an admin of the targeted instance or a federation-linked instance if federation is enabled. The vulnerability has been assigned a CVSS score of 6.9 (Moderate) with attack vector: Network, attack complexity: Low, and privileges required: None (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in version 0.19.11. The fix includes changes to ensure proper media ownership verification and limiting the scope of media deletion operations. Administrators should upgrade to version 0.19.11 or later to mitigate this vulnerability (GitHub Advisory).

Additional resources

Source: This report was generated using AI

Related Rust vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-66627	HIGH	8.4	Rust	wasmi	No	Yes	Dec 09, 2025
GHSA-xrv8-2pf5-f3q7	MEDIUM	6	Rust	nitro-tpm-pcr-compute	No	Yes	Dec 05, 2025
CVE-2025-67487	MEDIUM	5.5	Rust	static-web-server	No	Yes	Dec 09, 2025
CVE-2025-66622	LOW	1.3	Rust	matrix-sdk-base	No	Yes	Dec 09, 2025
RUSTSEC-2025-0135	N/A	N/A	Rust	matrix-sdk-base	No	Yes	Dec 08, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-wr2m-38xh-rpc9: Rust vulnerability analysis and mitigation