Login Sign Up

CVE-2024-25108

9.9 CRITICAL
Authentication Bypass

📋 TL;DR

This CVE describes an authorization bypass vulnerability in Pixelfed that allows attackers to access administrative and moderator functionality beyond their intended permissions. It affects all Pixelfed versions between v0.10.4 and v0.11.9, inclusive, potentially impacting all local users and server federation capabilities. Some user interaction is required to set up attack conditions, but exploitation can occur in a time-delayed manner.

💻 Affected Systems

Products:
  • Pixelfed
Versions: v0.10.4 through v0.11.9 inclusive
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Pixelfed instances running vulnerable versions regardless of configuration.

📦 What is this software?

Pixelfed by Pixelfed

View all CVEs affecting Pixelfed →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative control over the Pixelfed instance, allowing them to modify server settings, access all user data, disrupt federation, and potentially compromise the underlying server.

🟠

Likely Case

Attackers access moderator/admin functionality to view sensitive data, modify content, or disrupt normal operations of the Pixelfed instance.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the Pixelfed application layer with no lateral movement to other systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Proof of concept exists and some user interaction is required to set up conditions, but exploitation itself is straightforward once conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.11.11

Vendor Advisory: https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf

Restart Required: Yes

Instructions:

1. Backup your Pixelfed instance and database. 2. Update to Pixelfed v0.11.11 or later using your preferred update method (git pull, package manager, etc.). 3. Run any required database migrations. 4. Restart the Pixelfed service and web server.

🧯 If You Can't Patch

  • Isolate the Pixelfed instance from other systems using network segmentation.
  • Implement strict monitoring for unusual administrative activity and access patterns.

🔍 How to Verify

Check if Vulnerable:

Check your Pixelfed version. If it's between v0.10.4 and v0.11.9 inclusive, you are vulnerable.

Check Version:

Check the Pixelfed admin panel or run: php artisan version (if using Laravel Artisan)

Verify Fix Applied:

Verify your Pixelfed version is v0.11.11 or later and test that authorization checks are properly enforced for administrative functions.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to admin/mod endpoints
  • User accounts accessing functionality beyond their role permissions
  • Unusual administrative actions from non-admin accounts

Network Indicators:

  • Requests to administrative endpoints from non-admin IPs
  • Unusual API call patterns to privileged endpoints

SIEM Query:

source="pixelfed" AND (uri_path="/admin/*" OR uri_path="/mod/*") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2024-25108
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
CWE: CWE-280
Published: February 12, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25108, you might also want to check these:

CVE-2025-46066 9.9

A privilege escalation vulnerability in Automai Director v.25.2.0 allows remote attackers to gain el...

Same vulnerability type (CWE-280)
CVE-2024-24116 9.8

A privilege escalation vulnerability in Ruijie RG-NBS2009G-P switches allows remote attackers to gai...

Same vulnerability type (CWE-280)
CVE-2025-6573 9.8

This vulnerability allows kernel software running in an untrusted execution environment to leak sens...

Same vulnerability type (CWE-280)