So far, February has been a rough month for Fediverse projects. A little over a week after the CVE report emerged for Mastodon, a new CVE has emerged for Pixelfed as well. Dubbed CVE-2024-25108, this vulnerability involves an elevated access to resources, for users not intended to receive them. This CVE was reported by Trust & Safety tooling developer Emelia Smith, who has contributed work to Mastodon and Pixelfed in the past.

A proof-of-concept exists in the wild, and the vulnerability affects all Pixelfed versions between v0.10.4 and v0.11.9. A new release, v.0.11.11, sufficiently fixes the API endpoint to deal with this.

58% of all Pixelfed users are on instances that have updated to the latest version (v0.11.11) that contains an important security bugfix.

Keep in mind this version was only released 5 hours ago.

Great job :pixelfed: admins!

#pixelfed

— dansup (@dansup) 2024-02-10T09:30:28.480Z

Renaud Chaput, Mastodon’s CTO, also provided an incredibly helpful recommendation that we think all Fediverse projects ought to consider:

Advice to OSS projects that are exposing a public interface: implement an update checker with very visible admin notifications.

We did this for Mastodon 4.2, and it allowed our latest security release to reach 90% active user adoption in less than 48 hours, which took weeks previously.

Renaud Chaput, CTO of Mastodon

If you think about it, it makes a lot of sense: an update checker on an admin dashboard could serve as a very effective early-warning system for admins to know about CVEs. Renaud went on to link to an example of their implementation here.

Errata: in a previous version of this article, we reported that admins need to upgrade to v.0.11. It was pointed out that the actual version to upgrade to is v.0.11.11. Thanks to @thisismissem on Mastodon.