Today I published our new podcast at my employer Uberspace. For publishing, we decided to use a selfhosted Castopod instance. Sadly, I found an information-leaking bug shortly after doing so. Because this bug is out there and leaking information that is considered and expected to be private, I will publish this information shortly after informing the maintainers today (Fri, 11 Jul 2025 15:11:19 CEST) via mail to their security contact.
The Bug
The bug is rather simple. If you answer to a message published via Castopod for example from a mastodon instance and set the visibility to “Specific people” only, which is the equivalent and especialy expected to be a private message, this message is world readable on the castopod instance website, not only to logged in users. You can see such a message here or in the screenshot below:
This isn’t what users contacting the podcast account are expecting if they send a private message and therefore is to be considered an information leak.
Furthermore, if I reply from the Castopod instance to such a post, not only does the mention break (which is another bug), it is also set to a Mastodon equivalent of “public” visibility. This means the answer is too readable to anyone leaking even more information. You can see this by the globe in the upper right corner in the following screenshot.
The expected behavior
The expected behavior would be to not show the private message, at least if logged out, and also to keep the visibility for the answer.
Considerations
While this bug is unfixed for now and all Castopod instances seem vulnerable to this information leak, don’t try to reach out to accounts hosted at a Castopod instance via private message, or consider every piece of information you share as publicly visible, ignoring any visibility setting on your side. I hope this bug will be fixed soon by the authors, and I will update this note accordingly. Disclosure: I can’t submit a patch myself because I don’t speak PHP.