The XML parser we're using is the most mature one in the ecosystem and comes with Erlang, but they apparently didn't care to disable this by default.
nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 yeah, XXE. Means anything that can submit an XML document that the server parses can read arbitrary files on the server, same as the other issue. Actually worse if this doesn’t require Auth. XXE is fixed by not using a shit and brain-damaged parsers, which nobody should be using. This is straight outta 2004.
Abandon hope, all ye who enter. Pleroma is fucked and was made by retards.
Discussion
nostr:npub1yck44z5zqxmwpqzqs75ay6ffjdw843ng9p6mz0lzfff3fgz2djlsngujmw nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub108zt8c43ulvdwnax2txurhhr07wdprl0msf608udz9rvpd5l68ascvdkr5 Yeah, in this case I wouldn't blame Pleroma devs entirely, what I said was mostly a joke.
Erlang/Elixir is a shit and immature language, so the fact that "the most mature [XML parser] in the ecosystem" is vulnerable to vulns from the early 2000's comes as no surprise to me.