CVE-2024-25108 (CVSS 9.9): Authorization Bypass in Pixelfed

In the realm of social media, where centralized giants often dominate the landscape, Pixelfed has emerged as a beacon of hope for those yearning for privacy, security, and a decentralized ethos. As an open-source image-sharing platform, Pixelfed champions user privacy and data control, leveraging the decentralized ActivityPub protocol to foster a network where users from different platforms can seamlessly interact. Recently, Pixelfed has revealed a major security vulnerability that could give attackers significant power over user accounts and the platforms they support.


CVE-2024-25108, with a CVSS score of 9.9, exposes a critical flaw in Pixelfed. This vulnerability reveals that authorization checks within Pixelfed were insufficiently stringent, potentially granting attackers unauthorized access to a treasure trove of functionalities, including those reserved for administrators and moderators. The implications of such access are vast, ranging from data manipulation to compromising the platform’s federated structure.

Affecting versions v0.10.4 to v0.11.9, CVE-2024-25108 places every user of a Pixelfed server in potential jeopardy. The vulnerability’s nuanced nature requires some initial setup by the user, yet, intriguingly, an attacker can exploit it in a time-delayed manner, bypassing the need for active user interaction.

The discovery of a proof of concept for CVE-2024-25108 has set the stage for a critical period of vulnerability and anticipation. The Pixelfed development team, cognizant of the stakes involved, has pledged an update with further details by February 25, 2024, allowing administrators a window of opportunity to fortify their defenses. This deliberate withholding of specifics underlines the gravity of the situation, emphasizing the need for swift and decisive action to prevent potential exploitation.

If you run a Pixelfed instance or have an account on one, you need to act NOW:

  • Pixelfed Instance Administrators: If you run a Pixelfed server, you MUST update to the version v0.11.11
  • Pixelfed Users: While patching can mitigate significant risks, stay vigilant. Scrutinize suspicious activity in your community and alert your instance admins of anything unusual. Consider changing your passwords as a safeguard, especially if you have administrative or moderation rights.