CVE-2024-25108

CRITICAL

Pixelfed <0.11.9 - Auth Bypass

Title source: llm

Description

Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists. This vulnerability affects every local user of a Pixelfed server, and can potentially affect the servers' ability to federate. Some user interaction is required to setup the conditions to be able to exercise the vulnerability, but the attacker could conduct this attack time-delayed manner, where user interaction is not actively required. This vulnerability has been addressed in version 0.11.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References (2)

[Exploit, Third Party Advisory] https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf

[Patch] https://github.com/pixelfed/pixelfed/commit/7e47d6dccb0393a2e95c42813c562c854882b037

View Patch ZIP pw:eip

Scores

CVSS v3 9.9

EPSS 0.0011

EPSS Percentile 28.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-280 CWE-285 CWE-863

Status published

Products (2)

pixelfed/pixelfed 0.10.4 - 0.11.11

pixelfed/pixelfed 0.10.4 - 0.11.11Packagist

Published Feb 12, 2024

Tracked Since Feb 18, 2026