Accept weak password in reset-password function in bookwyrm-social/bookwyrm


Reported on

Jul 11th 2022


Step to reproduce:

1. Go to
2. Type your email and recieve reset password link.
3. Enter a as new password and success.

Proof of Concept

POST /password-reset/D4VUXDL5 HTTP/2
Cookie: csrftoken=ivRWhtdEybPyWPLQQeSerUxyZxoHTLM3n7WEY8ANL6vVlWnx4h5vM5WlNrRlO4Bx; django_language=None
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers



With the server accept weak password lead to allow attacker perform brute-force attack to gain access to the victim's account.

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. 10 months ago
Nhien.IT modified the report
10 months ago
We have contacted a member of the bookwyrm-social/bookwyrm team and are waiting to hear back 10 months ago
We have sent a follow up to the bookwyrm-social/bookwyrm team. We will try again in 7 days. 10 months ago
10 months ago


Hi @maintainer,

If this vulnerability has been fixed or reported before, please mark it as duplicate or information.


Mouse Reeve validated this vulnerability 10 months ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mouse Reeve marked this as fixed in 0.4.4 with commit 086ec1 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation