Pixelfed Urges Admins to Update After 9.9/10 CVE Reveal
58% of Pixelfed servers mitigated so far.
So far, February has been a rough month for Fediverse projects. A little over a week after the CVE report emerged for Mastodon, a new CVE has emerged for Pixelfed as well. Dubbed CVE-2024-25108, this vulnerability involves an elevated access to resources, for users not intended to receive them. This CVE was reported by Trust & Safety tooling developer Emelia Smith, who has contributed work to Mastodon and Pixelfed in the past.
A proof-of-concept exists in the wild, and the vulnerability affects all Pixelfed versions between v0.10.4
and v0.11.9.
A new release, v.0.11.11
, sufficiently fixes the API endpoint to deal with this.
58% of all Pixelfed users are on instances that have updated to the latest version (v0.11.11) that contains an important security bugfix.
Keep in mind this version was only released 5 hours ago.
Great job :pixelfed: admins!
Renaud Chaput, Mastodon’s CTO, also provided an incredibly helpful recommendation that we think all Fediverse projects ought to consider:
Advice to OSS projects that are exposing a public interface: implement an update checker with very visible admin notifications.
We did this for Mastodon 4.2, and it allowed our latest security release to reach 90% active user adoption in less than 48 hours, which took weeks previously.
Renaud Chaput, CTO of Mastodon
If you think about it, it makes a lot of sense: an update checker on an admin dashboard could serve as a very effective early-warning system for admins to know about CVEs. Renaud went on to link to an example of their implementation here.
Errata: in a previous version of this article, we reported that admins need to upgrade to v.0.11
. It was pointed out that the actual version to upgrade to is v.0.11.11
. Thanks to @thisismissem on Mastodon.