CVE-2025-30741
📋 TL;DR
A Pixelfed vulnerability allows unauthorized users to follow private accounts and view private posts across Fediverse servers. This affects all Pixelfed instances running vulnerable versions and impacts users on other Fediverse platforms who have followers from affected Pixelfed instances.
💻 Affected Systems
- Pixelfed
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass exposure of private content across the Fediverse, compromising user privacy and potentially exposing sensitive information to unauthorized viewers.
Likely Case
Unauthorized users gain access to private posts and account information that should be restricted, violating user privacy expectations.
If Mitigated
Limited exposure if private accounts have minimal followers from vulnerable Pixelfed instances.
🎯 Exploit Status
The vulnerability appears to be an authorization bypass that doesn't require authentication. Simple HTTP requests could potentially trigger the issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.12.5
Vendor Advisory: https://github.com/pixelfed/pixelfed/releases/tag/v0.12.5
Restart Required: Yes
Instructions:
1. Backup your Pixelfed instance and database. 2. Update to Pixelfed version 0.12.5 or later. 3. Restart the web server and any background workers. 4. Clear application cache if applicable.
🔧 Temporary Workarounds
Temporary Access Restriction
linuxLimit access to Pixelfed instance while preparing for update
# Use firewall rules to restrict access
sudo ufw deny from any to any port 80,443
# Or use web server configuration to block access
🧯 If You Can't Patch
- Disable federation features temporarily to prevent cross-instance exploitation
- Implement strict access controls and monitor for unauthorized following attempts
🔍 How to Verify
Check if Vulnerable:
Check Pixelfed version in admin panel or via command line: php artisan versionCheck Version:
php artisan versionVerify Fix Applied:
Confirm version is 0.12.5 or later and test that private accounts cannot be followed without authorization📡 Detection & Monitoring
Log Indicators:
- Unusual following activity
- Multiple failed authorization attempts for private accounts
- Cross-instance following patterns
Network Indicators:
- Increased ActivityPub protocol traffic
- Unusual federation requests
SIEM Query:
source="pixelfed.log" AND ("follow" OR "private" OR "authorization") AND status!=200