See Pleroma/Soykaf
As you all probably know (if not, see the comments in https://meta.akkoma.dev/t/akkoma-stable-2023-05-baked-beans-and-spam/475/8), there has recently been discovered an injection vulnerability in Akkoma-fe. Both Pleroma and Akkoma are affected by it. Some fixes have already been done do mitigate this issue, but yet another attack vector has been found.
From what I understand, the vulnerability allows remote code execution with code being injected through media. When that media is served from the same domain as your front-end, it has access to local storage, including access tokens. That means that an attacker can pose as you, and access everything you can. If you have admin privileges, that means they have that too now.
For that reason, it’s advised to serve or proxy your media through a different domain (or subdomain). For example, if your media is normally served on https://myinstance/media
, and your instance listens internally on http://localhost:4000
, you can set a redirect from https://media.myinstance/media
to http://localhost:4000/media
. Then change your config to
config :pleroma, Pleroma.Upload,
base_url: "https://media.myinstance/media"
and restart your server, and check that media indeed still works, and that newly uploaded media is now served from this new domain.
If you have media_proxy enabled and serving from your domain, do the same for that (I do not know the exact settings since I do not use it myself, but check the documentation and please note it here so it may help others).
A more precise explanation and guide can be found at https://webb.spiderden.org/2023/05/26/pleroma-mitigation/.
Note that this exploit requires media to be served from the local domain. That means that if you do not have media_proxy enabled, and you can trust the people on your instance to not upload malicious attachments like this, you should generally be safe, even if you served media from your own domain. Still, better safe than sorry and all that.