most of the instances are offline or admin only login last I checked
who would have thought software that was quickly spun up to replace something carefully written over the course of 7 years because tankies would have 0 days
this post was submitted on 15 May 2026
56 points (100.0% liked)
Slop.
857 readers
375 users here now
For posting all the anonymous reactionary bullshit that you can't post anywhere else.
Rule 1: All posts must include links to the subject matter, and no identifying information should be redacted.
Rule 2: If your source is a reactionary website, please use archive.is instead of linking directly.
Rule 3: No sectarianism.
Rule 4: TERF/SWERFs Not Welcome
Rule 5: No bigotry of any kind, including ironic bigotry.
Rule 6: Do not post fellow hexbears.
Rule 7: Do not individually target federated instances' admins or moderators.
founded 2 years ago
MODERATORS
you don't understand, piefed only has the best code. Everyone says so and it even happens so much faster than those dirty tankies. Some say it is the perfect code but please whatever you do don't look at it just imagine the best possible code and that's it.
Here I was thinking the downtime was due to the hosting DC having a fire https://www.datacenterdynamics.com/en/news/northc-data-center-outside-amsterdam-suffers-fire/
Ohhhh that's why they need possibly 24hrs of downtime 😂😂😂😂😂
Lol. Lmao, even
"security tweaks" 
Yeah I'm no expert but I did see if deepseek could tell me what was going on here.
The most dangerous: cloud metadata at 169.254.169.254 . A single 302 redirect → metadata endpoint returns temporary AWS credentials the attacker can use to access S3 buckets, RDS, or any other cloud resource the instance has an IAM role for. That's a complete account compromise, not just a server crash..
is this live? If it is please remove the comment and tell the devs. This could put people who already are being harassed on the regular by trolls at risk. I don't know if IP addresses are logged, not everyone uses burner email addresses etc.
I can't even mod the comment bc then it just shows up on the modlog, i'd have to remove the entire post.
They patched it. This is what the threat was.
Ah good
It was not, that's only what deepseek said it was. I don't know why you edited the comment to hide the details of the hallucination instead of accepting that it fluked.
I changed it before I read your comment because a mod asked me to. Relax.
Complete hallucination, this is improper validation of requests, nothing about fetching something or leaking credentials.
Also, 169.254.0.0/16 is the link-local IPv4 network so it doesn't even make sense outside of the fact that aws servers may get metadata on such networks (which again is absolutely unrelated to this diff). Is this a 3b model? Seems like it ran out of context, maybe it loaded the entire html page.
Yeah I'm no expert
I'll bold it next time. However, thank you for your analysis!
If I was fed the pie, will I be okay or should I get help?
i would suggest forcing fingers down your throat until you upchuck it
Even dealing with a security issue the code is shit. Why are they chaining multiple ors in a if single statements
| | |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| `def is_invalid_get_request_uri(uri):` | |
| | `if current_app.debug:` |
| | `return False` |
| | `try:` |
| | `ip = ipaddress.ip_address(furl(uri).host)` |
| | `except:` |
| | `ip = None` |
| | `` |
| | `if ip:` |
| | `return ip.is_private or ip.is_link_local or ip.is_reserved or ip.is_loopback or ip.is_multicast or ip.is_unspecified` |
| | `return False` |
| | `` |
| | `` |
| | `def is_invalid_post_request_uri(uri):` |
| | `return is_inv` |
https://codeberg.org/rimu/pyfedi/commit/ada8e2ea35ec687000b7e7c2343288d44a219c3a
Bare except, too. Not ideal.
I mean they weren't given any heads up but had to instantly shut down their servers and figure out what was going on and come up with a solution on the spot. Not that I think piefed is well-made but just publicly posting critical security vulnerabilities is a dick move.
Was it a zero day? And fair.
Yeah, piefed is rather small and apparently no one even thought to as much as prompt an LLM for the code. It was an unknown vulnerability.
https://lemmy.ml/post/47379574 - - I think this is at least one of them?
Will be an interesting read when not weekend.
Mostly wasn't sure if something big in python or just the implementation. Been so many announcements on big vulnerabilities lately
If it's the one from yogthos then yeah
Interesting
| 6 hours ago | infosec.pub mod | Deleted post Piefed has some really bad security bugs that p… in cybersecurity@infosec.pub |
Lol wait really? Makes a blog post about burn out, zeroday crashes every piefed instance?
Other than the dev?
ha ha
