pixelfed instance admins: Please update pixelfed to v0.12.5 asap.
-
pixelfed instance admins: Please update pixelfed to v0.12.5 asap. The version contains fixes for serious security vulnerabilities that I reported.
I will disclose further details about the vulnerabilities in about 24 hours.
-
pixelfed instance admins: Please update pixelfed to v0.12.5 asap. The version contains fixes for serious security vulnerabilities that I reported.
I will disclose further details about the vulnerabilities in about 24 hours.Pixelfed before v0.12.5 has a vulnerability where it could leak your private posts, regardless of whether you are a Pixelfed user or not.
Admins should update ASAP.When following someone from a different server on the Fediverse, the remote server decides whether you are allowed to do that. This enables features like locked accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. If a legitimate user from a Pixelfed instance follows you on your locked account, anyone on that Pixelfed instance can read your private posts.
I wrote a blog post about how I found the vulnerability, how disclosure coordination went and general ramblings about Fediverse safety:
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html -
Pixelfed before v0.12.5 has a vulnerability where it could leak your private posts, regardless of whether you are a Pixelfed user or not.
Admins should update ASAP.When following someone from a different server on the Fediverse, the remote server decides whether you are allowed to do that. This enables features like locked accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. If a legitimate user from a Pixelfed instance follows you on your locked account, anyone on that Pixelfed instance can read your private posts.
I wrote a blog post about how I found the vulnerability, how disclosure coordination went and general ramblings about Fediverse safety:
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html@fionafokus thank you for your work here, and your attempts to limit the damage by responsible disclosure, and the excellent writeup. I agree that there's an important discussion about the impact of this pattern of reckless behavior (and the willingness of so many cis male fediverse influencers to give it a pass and encourage people to donate to a project with this track record).
-
Pixelfed before v0.12.5 has a vulnerability where it could leak your private posts, regardless of whether you are a Pixelfed user or not.
Admins should update ASAP.When following someone from a different server on the Fediverse, the remote server decides whether you are allowed to do that. This enables features like locked accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. If a legitimate user from a Pixelfed instance follows you on your locked account, anyone on that Pixelfed instance can read your private posts.
I wrote a blog post about how I found the vulnerability, how disclosure coordination went and general ramblings about Fediverse safety:
https://fokus.cool/2025/03/25/pixelfed-vulnerability.htmlThat is so unfortunate. And I was thinking seriously about opening up another instance on pixelfed to allow for extended essays.
Is there a safer alternative out there that allows for more than 500-character toots and 4 images??
-
That is so unfortunate. And I was thinking seriously about opening up another instance on pixelfed to allow for extended essays.
Is there a safer alternative out there that allows for more than 500-character toots and 4 images??
@AnthonyJK but cant you just increase the character limit in any standard masto instance? That was configurable to my knowledge - just the default being 500...
-
@AnthonyJK but cant you just increase the character limit in any standard masto instance? That was configurable to my knowledge - just the default being 500...
I can't on mine, because I'm on a self-hosted paid monthly subscription plan via masto.host, and they don't allow you that privilege of increasing toot character length. I would have to sign with a separate instance from another platform like Lenny in order to have more room to toot.
-
I can't on mine, because I'm on a self-hosted paid monthly subscription plan via masto.host, and they don't allow you that privilege of increasing toot character length. I would have to sign with a separate instance from another platform like Lenny in order to have more room to toot.
Yeah, Mastodon's unwillingness to allow max post length to be easily configured is a huge issue (dating back to 2017!). So frustrating.
It's worth checking out GoToSocial --it meets your requirements of > 500 characters (and includes Markdown formatting) and more than 4 images. It's still beta but very solid, I've been using it for @jdp23 for a while (with phanpy as the web interface) and love it. K&T hosting has plans starting at $3.75/month - https://www.knthost.com/gotosocial
-
Pixelfed before v0.12.5 has a vulnerability where it could leak your private posts, regardless of whether you are a Pixelfed user or not.
Admins should update ASAP.When following someone from a different server on the Fediverse, the remote server decides whether you are allowed to do that. This enables features like locked accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. If a legitimate user from a Pixelfed instance follows you on your locked account, anyone on that Pixelfed instance can read your private posts.
I wrote a blog post about how I found the vulnerability, how disclosure coordination went and general ramblings about Fediverse safety:
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html@fionafokus@mystical.garden that was an excellent writeup. I am disappointed but not surprised by the improper response from the sole maintainer of Pixelfed.
That kind of understanding of how to handle complex and severe security vulnerabilities comes with time and experience.
