Pixelfed Urges Admins to Update After 9.9/10 CVE Reveal

58% of Pixelfed servers mitigated so far.

So far, February has been a rough month for Fediverse projects. A little over a week after the CVE report emerged for Mastodon, a new CVE has emerged for Pixelfed as well. Dubbed CVE-2024-25108, this vulnerability involves an elevated access to resources, for users not intended to receive them. This CVE was reported by Trust & Safety tooling developer Emelia Smith, who has contributed work to Mastodon and Pixelfed in the past.

When processing requests, authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server.

Vulnerability report

A proof-of-concept exists in the wild, and the vulnerability affects all Pixelfed versions between v0.10.4 and v0.11.9. A new release, v.0.11.11, sufficiently fixes the API endpoint to deal with this.

58% of all Pixelfed users are on instances that have updated to the latest version (v0.11.11) that contains an important security bugfix.

Keep in mind this version was only released 5 hours ago.

Great job :pixelfed: admins!

— dansup (@dansup) 2024-02-10T09:30:28.480Z

Renaud Chaput, Mastodon’s CTO, also provided an incredibly helpful recommendation that we think all Fediverse projects ought to consider:

Advice to OSS projects that are exposing a public interface: implement an update checker with very visible admin notifications.

We did this for Mastodon 4.2, and it allowed our latest security release to reach 90% active user adoption in less than 48 hours, which took weeks previously.

Renaud Chaput, CTO of Mastodon

If you think about it, it makes a lot of sense: an update checker on an admin dashboard could serve as a very effective early-warning system for admins to know about CVEs. Renaud went on to link to an example of their implementation here.


Errata: in a previous version of this article, we reported that admins need to upgrade to v.0.11. It was pointed out that the actual version to upgrade to is v.0.11.11. Thanks to @thisismissem on Mastodon.

Sean Tilley

Sean Tilley has been a part of the federated social web for over 15+ years, starting with his experiences with Identi.ca back in 2008. Sean was involved with the Diaspora project as a Community Manager from 2011 to 2013, and helped the project move to a self-governed model. Since then, Sean has continued to study, discuss, and document the evolution of the space and the new platforms that have risen within it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button