GHSA-wr2m-38xh-rpc9: Lemmy user purging users or communities or banning users can delete images they didn't upload/exclusively use

April 8, 2025

An improper uploaded media ownership check can result in inadvertent deletion of media when a user is banned with content removal or purged. This can lead to deletion of media that was not uploaded by the banned/purged user. This also applies to purged communities, in which case all media posted in that community will get deleted without proper ownership check. This is limited to media with an image/* content-type returned by pict-rs.

References

github.com/LemmyNet/lemmy
github.com/LemmyNet/lemmy/pull/1809
github.com/LemmyNet/lemmy/pull/3927
github.com/LemmyNet/lemmy/pull/5566
github.com/LemmyNet/lemmy/security/advisories/GHSA-wr2m-38xh-rpc9
github.com/advisories/GHSA-wr2m-38xh-rpc9

Code Behaviors & Features

Detect and mitigate GHSA-wr2m-38xh-rpc9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →