What happened?

A Lemmy exploit has been used in the wild earlier to attack several instances, among which lemmy.world:

• https://lemdit.com/post/44993
• https://lemdit.com/post/44963

What we did about it:

At the time it was believed that the exploit had something to do with the sidebar, so I temporarily restricted new applications and disabled the ability for users to create their own communities:

• https://lemdit.com/post/45241

We have meanwhile learned that this vulnerability is present on any instance that has custom emojis defined, and is exploitable everywhere Markdown is available (posts, comments, private messages, the sidebar, etc).

As of now there is no official patch for it, however a manual fix is described in this thread:

• https://github.com/LemmyNet/lemmy-ui/issues/1895

I have applied this fix to Lemdit to be safe, noting that we never had custom emojis enabled so we were never really at risk. 10 comments with the malicious code had federated to us (and were removed through my application of the fix), however you would’ve still been safe viewing these comments from Lemdit.

We’re now back to having open registration and the ability for users to create communities without admin intervention.

What this means for you as a Lemdit member

I want to reassure you that we were not impacted by this exploit. As previously mentioned, the exploit was specifically linked to custom emojis and we never had those defined/enabled. Even though comments containing the malicious code would’ve federated to us, the code would not have worked here.

As a conscequence of applying the manual fix, all existing login sessions have been reset so you will have to log back into your Lemdit account.

I expect that a new Lemmy version will be released soon to properly address this vulnerability - I will be patching us to it as soon as it’s available.

Let me know if you have any questions or concerns.