Email enumeration via reset password functionality in pixelfed/pixelfed


Reported on

Jan 18th 2023


User enumeration is when a malicious actor can use brute-force techniques to either guess or confirm valid users in a system. The malicious actor is looking for differences in the server's response based on the validity of submitted credentials. The differences can be inside the response body, response headers or sometimes, in the response delay.

Proof of Concept

  1. Go to /password/reset
  2. Enter the following two emails and check the difference of the responses:
  • Registered email:
<input id="email" type="email" class="form-control" name="email" placeholder="E-Mail Address" value="" required>
  • Not registered email:
<input id="email" type="email" class="form-control" name="email" placeholder="E-Mail Address" value="xxx@local" required>

Notice that not registered email is in the value attribute.


User and email enumeration allows an attacker to find valid usernames/emails on the victim application. It can use this information to do more advanced attacks like bruteforcing passwords or phishing attemps.

We are processing your report and will contact the pixelfed team within 24 hours. 2 months ago
We have contacted a member of the pixelfed team and are waiting to hear back 2 months ago
pixelfed/pixelfed maintainer has acknowledged this report 2 months ago
pixelfed/pixelfed maintainer gave praise 2 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
pixelfed/pixelfed maintainer validated this vulnerability 2 months ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pixelfed/pixelfed maintainer marked this as fixed in 0.11.4 with commit 5b5f5b 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 18th 2023
pixelfed/pixelfed maintainer published this vulnerability a month ago
to join this conversation